Achieving Pragmatic, Operational Modernization for the SEC

Challenge

Since 1993, EDGAR has managed private sector securities filings and complex documents to help the SEC achieve its mission goals. Processing about 3,000 filings daily, the system makes 3,000 terabytes of data public each year. Though EDGAR used dedicated hardware, the system’s legacy software, and middleware were out of date and lacked modern security and scalability features. The outdated technology was showing its age in availability on peak filing days and surges – and
in vulnerabilities that reached critical urgency with the 2016 security breach.

To immediately address the security issues, the SEC worked with Maximus to determine the cause of the breach (software vulnerabilities) and to implement advanced encryption to protect EDGAR’s data and find a pragmatic approach that would maintain system availability and improve efficiency while prioritizing cybersecurity.

Approach

Working with Maximus on the first large-scale modernization project of its kind for EDGAR, the SEC’s incremental approach began with replacing outdated middleware and software components. EDGAR leadership also sought and secured funding for cloud preparation, recognizing that the investment would yield security and operational
benefits. These updates cleared a path for future system transformation.

Optimization and Security

Maximus established a dedicated EDGAR security team to begin the process of making the system cloud-ready and establishing continuous authority to operate (cATO) to automate continuous monitoring of security threats and vulnerabilities. Optimizing the system with modern hardware and software were also a priority, along with
implementing modern database and operating system solutions.

Transformation and Innovation

With modern software and middleware in place, the team established a Scaled Agile Framework (SAFe®) to improve EDGAR’s scalability, containerized its applications, and established a continuous integration/continuous development (CI/CD) pipeline with DevSecOps to create a cloud-ready platform. Working incrementally, the SEC
opted to keep EDGAR on-premises but refactor the system to be ready for cloud migration.

Through these processes, the security team worked in lockstep with SEC business and IT leaders to successfully implement their approach. Keys to success included:

• Executive alignment with SEC leadership to establish governance, communicate the importance of the modernization efforts and maintain active project support.
• Efficient procurement of all software, enabling rapid replacement of outdated technology.
• Strong project management to oversee implementation of a SAFe® and establishment of cATO months in advance, enabling system troubleshooting prior to launch.
• Value-added partnerships to augment systems architecture expertise through Maximus’ vendor partnership with Red Hat.
• Incremental steps to make innovation inroads across the agency, including proof of concept projects to gain buy-in by improving transparency and collaboration across agency divisions.

Results

Completed on time and $300K under budget, EDGAR’s new architecture:

• Increased security, reducing system vulnerabilities from thousands to less than 20.
• Improved system availability, including the smoothest SEC peak filing day on record in 2021.
• Doubled securities filing throughput while reducing complexity and costs.
• Increased scalability by replacing outdated software and hardware.
• Added support for storage provisioning and additional storage with no application downtime.
• Improved time to value by enabling fast, frequent, and secure deployments compared with previous error-prone, infrequent updates.

In 2021, Maximus deployed new beta features, including multi-factor authentication, an interface redesign, and artificial intelligence. The projects completed to date have established a sustainable foundation for innovation and modernization for EDGAR and across the SEC’s IT systems.