Biggest challenge in realizing agile, efficient government IT continues to be the required cultural change, says Federal CIO Steve VanRoekel.
PortfolioStat -- we'll do a major check-in on deliverables from last year, like, 'Where are you on commodity IT,' and then we'll start to move up the stack. What we learned as we started doing PortfolioStat is that agencies fall into one of four categories. They're either the Wild West where every department, every subagency does their own thing, procures their own stuff and there's a lot of fiefdoms. Then you've got the next level that's rationalized commodity IT, where they'll run one email system, have one way to procure computers or mobile devices. The third is where they've started to rationalize the mission side of government. The top level -- and we're starting to see some early indication of this happening at some of the agencies -- is a service orientation.
Say you come to me from some far corner of the department, and I'm the CIO, and you say, 'I want to build a mobile app.' I say, 'Great, here's a ready development environment, a test environment, a deployment environment,' and I give those to you as services. By developing in those environments, you snap to my enterprise architecture, my cyberinfrastructure. As we think about that commodity [direction] and building mission-based solutions, there's a lot to be said to move up that stack.
There was also a big focus in PortfolioStat on the establishment of investment review boards to get agencies to think about IT as a piece of a broader puzzle in managing their departments. So we're going to continue to think about strategic planning.
The Digital Government Strategy is continuing. It launched in May as 12-month strategy with a bunch of deliverables. The intention was to start to change the culture around the way we treat data, build mission systems, embrace mobile, think about security and privacy on the mobile platform, and really turn the dial on citizen-facing services. A lot of the deliverables are tactical, but they're in search of this objective of thinking about a more modular government, a more open, standards-based data approach, and about citizen services in a way that's much more open.
InformationWeek Government: The Open Data Policy is part of that. When should we expect something there?
VanRoekel: Forthcoming. I won't predict anything in terms of time, as there are clearance processes, but you should expect some stuff pretty soon. The spirit of that is machine-readable [data] becoming the default, thinking about standardized schemas, rethinking data.gov -- all of those are things that you should expect in 2013 coming out of the Digital Government Strategy.
The strategy is a piece of a broader innovation agenda of the administration that includes the Presidential Innovation Fellows program that [federal CTO] Todd Park and I are working through, and rethinking the impact of those efforts to build platforms to scale inside government, things like MyUSA to think about citizen-based access to government or how we present medical records to veterans in a new way. All of that is around an agenda that is centered on open data, open platforms and building in new ways.
InformationWeek Government: What's next with CyberStat?
VanRoekel: We have a close working relationship with the national security staff, including federal cybersecurity coordinator Michael Daniel. One of those things is that the tenets of CyberStat are the right things -- continuous monitoring, Trusted Internet Connections, HSPD-12 cards and multi-factor authentication. All the elements of CyberStat are going to be consistent [moving forward]. You'll see continued progress on that. FISMA only gets us so far, checking your cybersecurity posture every several years through a FISMA audit is not even close to real-time enough, so the big effort we've been putting forward is turning the dial on continuous monitoring.
How do we set up a government-wide vehicle for agencies not only to pipe their traffic through a trusted connection and monitor that connection through our efforts with the Einstein project, but also think about the network itself? A lot of the threats come when someone plugs a USB device that's been compromised inside the network, so continuous monitoring will cover a broader range of the threat surface.
We just put out a contract to [the Department of Homeland Security] and [the General Services Administration] that not only covers the federal government but has partnerships that reach down to state, local and tribal, so we're going to combine the buying power of a big entity to go out and tackle this challenge. This year, you're going to see lots of progress on it.
FedRAMP is a big category of it as well, as we think about the continued evolution of cloud computing. The second vendor has been authorized on FedRAMP. I think we're going to see a pretty steady clip. We have about 70 vendors or more standing right behind them in line.