OMB turns up oversight heat with cyberstat

Monday - 2/28/2011, 6:58am EST

Click below to hear the report on the Federal Drive

As produced by Meg Beasley

Download mp3

By Meg Beasley
Reporter
Federal News Radio

The Office of Management and Budget had success using techstats to fix problematic IT systems. Now, Federal Chief Information Officer Vivek Kundra said agencies should get ready for similar cybersecurity oversight. Cyberstat sessions are a new, more intense brand of oversight to plug security holes in agency networks.

"The cyberstats are obviously classified because we're dealing with very, very sensitive information," said Kundra, during a panel discussions with other federal CIOs Friday at a breakfast hosted by AFCEA Bethesda. "The first one we did was with the Department of Education. We had great outcomes. The cyberstats are actually leading to very, very concrete actions and outcomes."

Kundra didn't offer too many details of how the program works because of its sensitive nature.

Cyberstats is one of several new IT initiatives, especially around cybersecurity, OMB is pushing as part of the fiscal 2012 budget request.

Kundra said OMB also directed agencies to invest in continuous monitoring tools. He said agencies have been using a bureaucratic approach to cybersecurity full of paperwork that doesn't actually make anyone safer.

He said the budget would devote more than $450 million to develop blue and red teams that will actively attack government systems to find weaknesses before they are exploited.

Richard Spires, the Homeland Security Department's CIO, agreed that continuous monitoring is one piece of the larger reform puzzle. But he said agencies need to simplify the underlying architecture of many systems in order to implement successful continuous monitoring. He says agencies will need industry's help to lay that new foundation.

But Kundra says agencies aren't just sitting back and waiting for industry to bring solutions to them.

"We've got a number of organic CIO communities that are looking at collaboration technologies, infrastructure, even financial systems," Kundra said. "They're very interested in moving forward aggressively - they're not just meeting to discuss issues, they're actually getting together to put RFPs in place."

Kundra said the General Services Administration will issue a solicitation in the coming months that could be worth more than $3 billion for tools to build a community of collaboration.

Meanwhile, Kundra said the budget guidance calls for another transformation of agency operating structures. He said a study of underperforming programs found a common problem - large scale ERP systems that promised to do everything, and actually delivered nothing.

"Where we're heading, and we've sent a very clear signal from a demand perspective, is that we want the federal government to move away from the old model of IT management and IT acquisition, which was based around asset ownership, and shift to service provisioning," said Kundra. Service provisioning is the idea that agencies subscribe to specific services rather than purchasing entire IT systems.

Kundra said the move has already begun with e-mail. Agencies such as GSA and the Department of Agriculture no longer own thousands of servers to operate their e-mail systems. He says GSA and USDA saved $6 million and $15 million, respectively, by getting rid of their e-mail servers.

"Imagine what would happen if we went after the financial systems," he said.

Kundra said he envisions building agencies with absolutely no asset ownership and no need to buy data centers or IT systems. But he says the market must mature before that goal can be realized.

DHS's Spires agreed that agile infrastructure will improve efficiency, but it also will require a change in agency culture. He said shorter timelines for project delivery will spur agencies to move faster.

"Perfect decisions are the bane of our existence," Spires said. "It's much more important to get a decision made and move along with the information you have, especially when you're in these compressed timeframes. I'm not saying you're going to always get it right, but you're going to move the ball forward, you're going to learn, and you have a chance to adjust later on."

Roger Baker, Veterans Affairs Department's assistant secretary for information and technology and CIO, agreed that a streamlined process is much more effective.

"Program managers just want to deliver," Baker said. "We've found that if we get the bureaucracy out of their way they can actually do a pretty darn good job of doing that."

He said VA has a "red flag" program that makes accountability a two-way- street - program managers are responsible for delivering but managers are responsible for removing barriers.