On the 22nd May 2021, President Joe Biden signed an executive order to improve the national cybersecurity posture.
Section 2 of the Executive order was all about sharing threat and incident data between government and service providers.
Section 3 takes Government Agency IT by the scruff of the neck and looks to drag it into the 21st century. Service Providers to government don’t get off lightly either, as either they need to shape up to the new standards or ship out.
Requirements in Section 3

The requirements listed in Section 3 of the Order, look like every IT Managers wishlists and nightmares in equal measure.
- Get rid of all the old stuff.
- Move everything to the cloud. Fantastic.
- And we need it done yesterday. Metaphorically. Oh…
The sheer scale and pace of the proposed changes will stagger anyone who has worked with legacy IT platforms.
The timelines proposed are in the second mind-map below, but significant progress is expected on a solution to every agency’s problems, within a year of the order.
Timeline for section 3 actions

That is lightning pace and will stretch the capacity of IT staff across federal government, as well as every service provider throwing their talent at the problem.
Not only do federal agencies have to plan their own migration to the cloud, they need to work together towards a common cloud strategy.
Clearly the check book is open, but a hugely under resourced IT footprint within federal government trying to tackle this, is likely to create a chaotic environment.
Consultancies get ready
This sounds like consulting heaven. Need more resources for your plans. We can provide those resources. The gravy train is leaving the station. The government’s vetting process is likely to collapse trying to clear all of the new people entering agencies to fill the void.
This coin does however have two sides. If your company provides services to the government and do not meet the new standards, then your contracts will not be renewed, and you will be thrown bodily from the train.
This then creates a secondary resourcing surge as service providers frantically try to remain compliant to all of the new requirements placed on them by this new order.
The realities of legacy IT
It’s called legacy IT for a reason. Someone back in the day looked at the legacy application in question and attempted to port it, or rewrite it, or re-platform it. And it was a horrible expensive failure that the IT department carries the scares for till this day.
It’s legacy because it was so hard to change, it was not economical to consider.
These agencies most probably have their fair share of mainframes running custom applications written in COBOL and FORTRAN. Not something you want to throw a Python rookie at.
The experts for these systems are either retired, about to be retired, or deceased.
Coming up with a common method of encapsulating these systems and still having them work effectively in a cloud-first architecture will be a massive challenge.
But the Executive Order is clear on one thing. This is where it stops. No more legacy. No more excuses about why it can’t be done. It will only get worse from here, so the President is ordering every agency to bite the bullet and stop the bleeding.