BTW, a little primer that got buried in a recent thread - but is applicable for the "Why didn't the US Government do better for the #SolarWInds since we there so much money and resources at it..." - the simple answer is, "we didn't , actually" and here's a little why. #thread
I officially became a Fed in 2010, but was a contractor in 2006/2007 and an FFRC staff 2009/2010, so I got back a ways... but the Federal budgeting process has changed a little in that time... thank you deficit spending.
Our housing bubble famously exploded in 2008, so THAT was fun. But it caused some scramble on how the Federal government went about funding stuff. Mainly, as tax dollars dried up a little and folks supposedly got serious about balanced budgets, agencies were forced to...
...think about programs that were previously multi-year behemoths, as well as statutory programs (like Medicare, etc.) that were going to have their operations affected by pullbacks. We called it "sequestration" in 2013, and it occurred after the Budget Control Act of 2011
It affects agencies and their planning to this day (and I can't imagine when it won't especially after the pandemic now) - but often the agencies create budget plan given their missions, some new stuff they may want to do, like modernization, etc. - and formulate a budget request
This goes to OMB for review and markup... basically always ask for a little more than you need, but don't pad it too bad, because, like Pawn Stars, you're gonna be negotiating... but usually it's less than what you wanted because of that Budget Act...
As I mentioned, Medicare, VA bennies and Social Security are exempt mandatory/statutory programs... but you still have to operate them, and the USG is big and intertwined... so it's hard just to cut out a chunk and tell and agency this is for this and that is for that.
Say for the newer focus on cybersecurity, because agencies are often funded at the programmatic, initiative, or bureau/office/division-level, doing anything enterprise is "passing the hat" and hoping folks chip in... sad but true, unless you are lucky to get an appropriation...or
See a program like the Technology Modernization Fund, which was designed to help small "micro" agencies and commissions (like the FTC, EEOC, etc.) who don't often have the right funding to take on a major upgrade or modernization unless tied/riding on something else (backdoored)
Large agencies, and this REALLY irritated me, but I knew it was going to happen... have program offices that know how to work the system, and they were first to the trough to ask for "a little sump thin'" from the TMF to shore up programs already in progress...
For HHS, it was their beleaguered PeopleSoft implementation - which was (and probably, still is) a major CF of monumental proportions. Interior had that with FBMS, but the TechStat program from OMB kicked it in the ass, and they eventually went live in, IIRC, 2013.
So, again, like pigs muscling into the trough of very ambiguously defined way the money was to be used and allocated (and I have no idea what deals were made), near zero small agencies got initial TMF funds... so, guess what...
budget designed to help the most in need, never actually went that way (sounds familiar with other programs, doesn't it?)... internally, same thing goes for cybersecurity. They centralized policy and some ops in DHS, but they weren't exceptionally funded.
Phase One of CDM was severely under budgeted, because the initial estimates were WAY off, and it seemed very little mechanisms were left for DHS (and GSA) to go back to Congress and OMB and ask to expand... so scope was cut.
and that's how a lot of the programs are... because DHS, put in charge of this, has near zero knowledge of how agencies run things... because the lack of information sharing is a feature, not a bug. So when agencies finally surveyed their environment, DHS said "whoah"
and it's also endemic to how OMB does planning, since they often issue data calls to agencies, with a relatively quick turnaround time, and by the time they get to folks who can provide the data, it's not reliable and is self-attestation at it's best.
There may be a 30-45 day window but as it gets passed down, sometimes 15-20 days have been already taken up in working it down to the components and then it's a scramble to find out who has the dat requested, because it's never a regular or uniform request framework.
Oddly, I say I saw this both as somebody who saw it at work from the OMB eGov office, but also somebody who managed those same data calls at HHS OIG... I got both ends of the sticks and it wasn't pretty.
(also, in most cases OMB is staffed by non-techies/practitioners, so they are often asked to "get X" and may not develop the best question or method to ask for the data from agencies... so the 15-20 days sometimes is also interpreting the request)
so you may get a week or so to collect stuff, format it, check it for completeness, or even when needed, ask for clarification... which in itself takes time and rarely gets a good answer.
So how does this affect Congressional appropriations... well, OMB puts the request (President's Budget), Congress folks have their own (CBO) and they, as we've seen with the recent budget stuff, differing views on what's needed.
So with sequestration, lack of domain knowledge, and very abysmally bad broad budget and legal language (presumably there for some flexibility), we get poorly funded programs that are often under funded and resourced with no clear direction on what is supposed to come of them
So asking/mandating CISA to do "pen tests" to "threat hunting" on agency networks - seems like a way to shoulder agency burdens - their own lack of agency knowledge will require learning (often done by contractors a behest of DHS/CISA) and negotiation...so slow and mistakes
plus the agencies will be like... "why don't you just fund our cybersecurity efforts properly"... but of course any read of Politico, The Hill, GovExec, FedScoop, will find plenty of mismanaged or failed programs that get press, regardless of good intentions...
so we are in a vicious cycle of declining budget funding, hard decisions of which fire to put out (aging system are that lovely tech debt), and constant advancing attackers, because agencies still have a mission to perform... the tissue paper keeps getting thinner
so, that's my piece for now, but it's a nasty dance of budget, resourcing, and who has the con (as it were) to control their own security destiny... feel free to comment or correct, but this is the incoming admin's challenge to "get" IMHO... big-ass challenge
I can say I looked at programmatic budgeting for my agency, and the budgets which I managed, to see if I could squeeze in resources that serviced the primary need, but also ancillarily helped a wider scope of work. More "bang for the appropriated buck" as legally as we could.
Oh, also, if you want to get into deep budgeting and appropriations, think about 1-year vs. no-year funding, as well as "the color of the money" which tightly restricted when and how Federal budget dollars can be spent. It's never always just a technical issue at that point.
JFYI... I'm still available for back-rub, long walks on the beach, bar mitzvahs, Federal leadership roles, and hosting beer tastings, cookie baking, and the occasional Federal explainer... #cheers and #HappyHolidays
oh, totally forgot about passback... not going to go into too much depth here... but that shit is fun AF... if you have any Federal officials who do budgeting, this is the time you are REALLY nice to them.

washingtonpost.com/politics/passb…
Mind you the EEOC *just* got a TMF loan this year, but everybody else was a CFO Act large agency. Prior years saw similar "weighting" oddly, the current round included a HUD project, not surprising from the Deputy Federal CIO's former agency...
However, immediately finding repayment info on the loans from 2018 and 2019 has been less than easy to initially find (I'm also doing a lazy Google search) gonna guess the replenishment rate won't match demand for amounts... so, it'll dry up.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Amélie E. Koran

Amélie E. Koran Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @webjedi

23 Dec
Nope, nope, nope, nope. You tickle the wrong sh*t and that's the end of things. You will hear it from agency leads as well as mission folks. Imagine tickling a dam control system at BOR, and whoops, flood. VA hospital... the folks there need at least a ride-along. #BadIdeasOfBad
There's reasons that you have permissions being granted, and it's not to hide stuff, but there are systems at NIH & CDC (lab systems), LE systems at multiple agencies, CIP at Interior, medical at VA that require scheduling to not affect operations - this is just dumb on its face.
Imagine knocking out the system printing social security checks or medicare claims, that'll raise some fun... or the US Mint and BEP? Those systems are protected, and separated, but unannounced system probes and such will do more harm than good. Trust me. BTDT
Read 5 tweets
22 Dec
You know, reading this NYT, I have a theory... & oddly it’s maybe traced back to the #CDM program. This was the first government-wide effort to enumerate agency infrastructure, down to core components & architecture. Which could explain why #SolarWinds was an effective vector 1/
So they say they got into Treasury D.O. accounts (Departmental Offices). But thinking, if this went back always for 2019 and prior, I think about how casually docs for CDM were shared between the agency leads and the contractors doing CDM. nytimes.com/2020/12/21/us/… 2/
To that end, if you got a dump of those, either from DHS, an agency, or contractor (which were also limited in number), you literally have a map with road signs as to what was installed where, who managed it, and what was enabled. This is easy targeting info. 3/
Read 7 tweets
3 May
so everybody seems to have harped on the FB/Twitter/Insta post about the pizza food truck owner and his @Grubhub bill and subsequent minuscule take-home. However, there's a little more to unpack, and while I'm not defending either, always look at your data and ask questions. 1/
He had 46 orders for a total of $1042.63 - $22.66/order avg. - which, if a regular pizza joint in a highly populated area, is sort of average for a 16" pizza. - if a food truck "long" pizza, that's like two takeaway orders. And note, he said "food truck", so this isn't B&M 2/
The agreed upon Grubhub commission/fee is about 20% (19.8%), which is their cost for advertising, usually hosting an ordering site, and so forth. Having done e-commerce many times before, the split of 10% for ops and 10% for marketing seems in line - and this may be on top 3/
Read 14 tweets
16 Jan
it still hurts when I sit in a conference talk where government "cyber workforce" discussions occur, and they still beat the same drum that hasn't worked for years, and realize that none of them come to things like BSides, Defcon, Shmoo, and others to have a realistic discussion
they merely talk about frameworks and policies, but nothing actually actionable or results... granted, having also sat in on agency discussions where there was a lot of, what could be best described as "whining", but no after action to address those concerns...
as I said MANY times, that if you have a shortage or want to focus on development and recruitment, you need to meet where the talent goes to learn, rather than hope and pray that a fishing expedition via job postings attract who and what you think you need...
Read 11 tweets
26 Nov 19
It still boggles my mind that we will have people flock to conferences about the latest and greatest thing, and then come back to their org wanting to do that latest and greatest, but not be willing to invest in the basic work required to share up and mature the org to fix stuff.
"I want to do $buzzword_tech" while not even taking a moment to possibly get all their systems to a maintainable standard, reliable inventory and maintenance cycle, and repeatable and reliable processes. Again, like building the Burj Khalifa on quicksand. gizmodo.com/without-trucks…
...you're doubling down on resources, and creating exponentially larger piles of tech and process debt that, given the tenure or most tech execs, will not be their problem, as they will be gone by the time the shit tankers run out of places to dump... fix this, then modernize
Read 18 tweets
28 Dec 18
I figured it was worth a little explainer for the Anti-Deficiency Act and relation to IT operations and shutdown activities. I write as somebody who's been through a few in various roles... (1/12)
To clarify on the “it’s a static site, why can’t they…” comments. Each agency affected typically has a mix of appropriated funding: “no-year” & annual, each with time limits of when and what it can be spent on as well are... (2/12)
...“fee-based” for certain programs. During shutdown activities aligned with a “lapse in appropriation,” agencies and their components will utilize remaining funding to wind down operations to a minimum (hence the “Not Open” signage)... (3/12)
Read 12 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!