Federal CIO Q&A: Security, Sequestration And More

IBM Smarter Cities Challenge: 10 Towns Raise Tech IQs

In the 18 months since he was appointed federal CIO, Steven VanRoekel has been a change agent in government IT, overseeing a half-dozen tech initiatives launched by his predecessor, Vivek Kundra, while introducing new projects of his own.

As the Obama administration enters its second term, VanRoekel plans to "follow the themes" established during the administration's first term rather than going in some new direction, VanRoekel said in an interview earlier this month with InformationWeek Government. He cited "incredible progress" in federal IT reform and transformation.

That doesn't mean VanRoekel won't shake things up. At $79 billion, the federal IT budget has been flat for four years, and spending might get even tighter. In planning for fiscal 2014, VanRoekel advised the CIOs of federal agencies to plan for 10% budget cuts. With downward pressure on tech spending and the specter of sequestration looming, federal IT teams have little choice but to work differently.

[ Want to know the secret sauce to government IT success? We Must Run Government IT Like A Startup. ]

VanRoekel laid out his IT priorities and plans for the year ahead and for the Obama administration's second term. He discussed the need to innovate and to bolster cyberdefenses, while arguing against the need for new legislation aimed at federal IT reform.

InformationWeek Government: In recent testimony on Capitol Hill, you outlined three priorities for this term: innovating for the American people, improving the return on investment for federal IT and enhancing cybersecurity.

VanRoekel: Innovate, deliver and protect. If you look at the history, the way you looked at IT spending in federal government is that to do new things, we built a culture where we had to spend money. In the prior administration, we were growing IT spending about 7% a year on a compound annual rate, and if you draw that curve out into the future, we'd be well over $100 billion in spending now on technology. The President took it flat, and under my watch we took it down a little bit.

All of that at a time when we couldn't be more dependent on technology and the pressures on the federal government to deliver around technology couldn't be more important. The citizen expectations, smartphone growth, cybersecurity, the fiscal pressure -- technology is part of the solution to all those opportunities and challenges. So we had to work on a mechanism to go out and find a way to live within our means, to continue to promote and advance innovation in technology, and do that in a cost-neutral or cost-negative way. If you look at the things we've been doing, we have been saying, 'Let's go out and ruthlessly save on things we can.'

The big highlight there was PortfolioStat, where I saw the low-hanging fruit in getting rid of commodity duplication. We're going to keep advancing that this year, thinking about how we move up the stack, starting at commodity -- how many email systems you have -- and with those investment dollars, pour that back into the cap-ex column and really understand how we're going to spend that on new ways of doing things.

We have to change the way we build, deploy and use technology inside government. That's really the innovation agenda: thinking about digital, mobile, all those things, and being very deliberate in our budget guidance telling agencies to cut a certain percentage and reinvest a certain percentage. We told them to cut 10% and reinvest 5% automatically, in these new ways, but to use PortfolioStat as a way of finding that.

Then, of course, cybersecurity, given the evolving threat, is important enough that it needs to stand alone.

InformationWeek Government: You mentioned three initiatives: Digital Government, PortfolioStat and CyberStat. Where are you taking those going forward?

VanRoekel: PortfolioStat was always intended to have a focus on continuous improvement, to think about how we keep the ball moving forward. A critical element on our team was standing up a new effort internally by building a small analytics team that can go out and gather data across the federal portfolio and understand what they're doing. Congress gave us some modest funding last year. That team is going out and thinking about not only what exists in each of these departments, how many email servers are running, how many this, how many that, but also starting to look at how much should email cost … so that we can try to set a baseline that we can run at and try to figure out how we can maximize the savings and the ROI of our investments. PortfolioStat -- we'll do a major check-in on deliverables from last year, like, 'Where are you on commodity IT,' and then we'll start to move up the stack. What we learned as we started doing PortfolioStat is that agencies fall into one of four categories. They're either the Wild West where every department, every subagency does their own thing, procures their own stuff and there's a lot of fiefdoms. Then you've got the next level that's rationalized commodity IT, where they'll run one email system, have one way to procure computers or mobile devices. The third is where they've started to rationalize the mission side of government. The top level -- and we're starting to see some early indication of this happening at some of the agencies -- is a service orientation.

Say you come to me from some far corner of the department, and I'm the CIO, and you say, 'I want to build a mobile app.' I say, 'Great, here's a ready development environment, a test environment, a deployment environment,' and I give those to you as services. By developing in those environments, you snap to my enterprise architecture, my cyberinfrastructure. As we think about that commodity [direction] and building mission-based solutions, there's a lot to be said to move up that stack.

There was also a big focus in PortfolioStat on the establishment of investment review boards to get agencies to think about IT as a piece of a broader puzzle in managing their departments. So we're going to continue to think about strategic planning.

The Digital Government Strategy is continuing. It launched in May as 12-month strategy with a bunch of deliverables. The intention was to start to change the culture around the way we treat data, build mission systems, embrace mobile, think about security and privacy on the mobile platform, and really turn the dial on citizen-facing services. A lot of the deliverables are tactical, but they're in search of this objective of thinking about a more modular government, a more open, standards-based data approach, and about citizen services in a way that's much more open.

InformationWeek Government: The Open Data Policy is part of that. When should we expect something there?

VanRoekel: Forthcoming. I won't predict anything in terms of time, as there are clearance processes, but you should expect some stuff pretty soon. The spirit of that is machine-readable [data] becoming the default, thinking about standardized schemas, rethinking data.gov -- all of those are things that you should expect in 2013 coming out of the Digital Government Strategy.

The strategy is a piece of a broader innovation agenda of the administration that includes the Presidential Innovation Fellows program that [federal CTO] Todd Park and I are working through, and rethinking the impact of those efforts to build platforms to scale inside government, things like MyUSA to think about citizen-based access to government or how we present medical records to veterans in a new way. All of that is around an agenda that is centered on open data, open platforms and building in new ways.

InformationWeek Government: What's next with CyberStat?

VanRoekel: We have a close working relationship with the national security staff, including federal cybersecurity coordinator Michael Daniel. One of those things is that the tenets of CyberStat are the right things -- continuous monitoring, Trusted Internet Connections, HSPD-12 cards and multi-factor authentication. All the elements of CyberStat are going to be consistent [moving forward]. You'll see continued progress on that. FISMA only gets us so far, checking your cybersecurity posture every several years through a FISMA audit is not even close to real-time enough, so the big effort we've been putting forward is turning the dial on continuous monitoring.

How do we set up a government-wide vehicle for agencies not only to pipe their traffic through a trusted connection and monitor that connection through our efforts with the Einstein project, but also think about the network itself? A lot of the threats come when someone plugs a USB device that's been compromised inside the network, so continuous monitoring will cover a broader range of the threat surface.

We just put out a contract to [the Department of Homeland Security] and [the General Services Administration] that not only covers the federal government but has partnerships that reach down to state, local and tribal, so we're going to combine the buying power of a big entity to go out and tackle this challenge. This year, you're going to see lots of progress on it.

FedRAMP is a big category of it as well, as we think about the continued evolution of cloud computing. The second vendor has been authorized on FedRAMP. I think we're going to see a pretty steady clip. We have about 70 vendors or more standing right behind them in line. InformationWeek Government: You and others have said that once FedRAMP is operating, we might see it expanding beyond cloud computing.

VanRoekel: We're definitely looking at that. I think mobile would be the first thing in that space. Pre-authorizing the risk and management of these programs is proving to be not only really cost effective, but being able to preclear a bunch of stuff once and then scale that across the federal government is proving very fruitful. One of my fears with mobile is that our security checks don't keep up with the pace of technology. We've got a new device coming out more than once every six months. The way we could keep up is do that from a more central standpoint, as new devices come in, authorize them. Once a central agency or host agency does that, they can say, 'This is trusted across the federal government.'

InformationWeek Government: This interview comes before the release of the federal budget. Can you give us a sense of the broad outlook for federal IT spending going forward?

VanRoekel: I can't quote any numbers or say anything specific, but the spirit is really around my budget guidance. To some extent, we're still at a point where IT is viewed as a discretionary thing. The President doesn't share this view, I don't, Todd Park doesn't, and I'm sure you don't share it. The private sector went through this inflection five to 12 years ago, depending on the industry, where IT moved from just this ability to do file and print and move emails around to this strategic asset to do business. It became the way we connect to customers better, build solutions better, control inventory, market our products.

In government, we're still in the midst of this. IT is this discretionary thing. We've been promoting the notion that IT gives you a 'lever up' ability. It gives you efficiency. You can do things better, faster and cheaper if you deploy IT in a smarter way.

If you go back to look at the history books, over half of the Fortune 500 companies were started in difficult economic times. You trace that back to what was going on at that time, IBM, P&G, Microsoft in a recession in the 70s, and it was always some inflection in technology that allowed them to catapult forward. I think our time is now to look at that [and ask] how do we drive innovation both inside and outside of government, to create that next Fortune 500 company, to foster that next wave of innovation in this country.

The spirit of our budget guidance really follows that. On a flat or declining budget, we need to find ways to save money. We need to steal from the cap-ex column to give to the op-ex column to drive innovation. If we just sit on our hands and do less with less instead of do more with less, we wouldn't make the progress we want to make.

InformationWeek Government: We're getting closer to the deadline on sequestration. Agencies have obviously started planning for that, regardless of what's going to happen.

VanRoekel: We're working with agencies on planning and thinking about what they do. The interesting thing from my vantage point is that while you have IT and the budget is out there, it's never just a standalone line item. It's part of almost everything we do, so as programs get considered for cuts, it's a part of all those things. It isn't just a specific tactic, like we need to go and cut here.

The general fear I have is that, by cutting technology or the IT budget, it's going to put us into situations where we stagnate progress or delivery of these things. I would worry that efforts would stall -- we heard that the VA and DOD's medical records effort is going to be stalled in a sequestration scenario -- so it puts us on our heels from a forward progress standpoint.

The other place it puts us on our heels is cybersecurity. Cybersecurity is such an evolving threat that we have to be ever-vigilant, proactive, investing dollars and engaging smart contractors to help us think about how do we really lean forward on this stuff. Sequestration could create scenarios where we bring it down to where we were without forward progress. In the case of being on your heels, being reactive, you could create a scenario where it's not where we need to be. InformationWeek Government: When you talked to Congress, it seemed like you said that additional legislative reform for federal IT management isn't really necessary at this point. Is this an accurate assessment?

VanRoekel: It is, totally accurate. I did come out and say that I think legislation isn't necessary, that there is room within the existing law to do what we need to do. I think we're making incredible progress. The fear I always have is that legislation is a snap in time. There are many laws on the books that affect how we do things online, but that don't even mention the Internet. Good laws leave room for interpretation, but technology [laws] are kind of touchy. You have to think about how you manage this stuff so you don't accidentally create a vendor preference or a technology preference that might be outdated in a year or two. While we're making incredible progress, I don't think that additional legislation is needed so that we can keep that progress.

InformationWeek Government: Given that, how do you provide CIOs with the right level of budgetary authority? You have also expressed concerns about dealing with the single-year budget.

VanRoekel: Where there potentially is room for legislative motion is thinking about budget authority and how we do budgeting. If you look at agencies that have capital budgeting, for example, they have a lot more flexibility to adapt with changing technology or changing demands.

When you lock in to specific deliverables or years, and then your budget window is small because you have years when you get the budget passed and then when you actually get it appropriated, it doesn't leave you a lot of room to really make smart decisions, to make long-run decisions. It creates a dynamic that breeds inconsistency. We have to encourage [Congress] to think about how they work through that. One of the key elements of the 25-Point Federal IT Reform Plan was budget flexibility.

Where it gets hard is that a lot of sub-agencies in government have relationship with their appropriations committees. You have flows of money that come in a way that don't allow that department to look left or right to say, 'Where can we go with this stuff?' I don't think we have an entitlement problem: I think we have a governance problem. That's why PortfolioStat has the deputy secretary of the department, sub-agency CIOs, the head CIO, the CFO, the human capital officer, all the C-levels sitting around a table. We found $2.5 billion in the first wave of PortfolioStat, and we think there's more out there.

InformationWeek Government: What's the biggest challenge for federal IT as the Obama administration goes into its second term?

VanRoekel: It's continuing on the road of cultural change. As I came into government when I was managing the Federal Communications Commission, I did an all hands [meeting] and I said I want them to wake up every day with the spirit of continuous improvement, never use 'That's the way we've always done it' as an excuse for forward progress.

InformationWeek Government: When you talk about cultural change, you're talking about moving from a culture of "that's the way we've always done it," of just keeping the lights on, to a culture of innovation?

VanRoekel: If I was here in government eight years ago and we needed a website, someone would say, well that costs $10 million, so we need to go find a vendor and spend $10 million -- that's what websites cost in government. Coming from high tech, I sit down and ask, 'Why? Why does it cost that much?' You can do things like create our Presidential Innovation Fellows program, have the RFP-EZ team come in and create this cool interface to engage small, agile vendors to rethink the way we do those kind of things. Now we say websites cost less than $150,000 and you get incredible output. You can change that dynamic, that culture, you just have to work your way through creating tools and resources and awareness.

InformationWeek Government: Are there any forthcoming policy changes or [Office of Management and Budget]-led IT initiatives that we should be aware of?

VanRoekel: We'll be doing lots of new things over the course of the second term, but all in all they'll follow the themes that we've followed before: How we think about innovation and the innovation agenda, how we think about ROI and moving up that stack and, on cybersecurity, we're going to keep moving down that road. Those are wide lanes in which to drive.

When I incubate a product or think about a new job, I tend to write the press release for the product for the last day I'm in that job. I've already written that press release. I've got it locked in a fireproof safe in my house on paper and I've deleted the electronic file. I want to always think about those outcomes -- what I want to say that I did, then work my way backward from that. At the end of the day, I want a government that can build modular, agile solutions completely differently than we do today that can be shared across agencies and that are superefficient. I want to create an opportunity for people who work in technology who are newly out of school or newly inspired to come find the federal government a great place to work and spread their wings and to give them permission to innovate within government and think differently, and I want to do it all in the context of a low-cost environment.