This Q&A is part of a new GovLoop series called “CIO Conversations.” Throughout 2018 we’ll feature conversational interviews twice a month with current and former federal, state and local chief information officers to get to know the people behind the titles. You’ll learn about the perks and challenges of their job, how they ended up in their current position, what’s top of mind for them, how they’ve rebounded from setbacks and more.
In our personal lives, we’ve come to expect rapid technology updates and continuous releases of new software features. But can government employees expect the same type of experience at work?
FEMA CIO Adrian Gardner thinks so.
To support this vision, Gardner is embracing more of an Agile methodology that supports continuous updates to FEMA applications. The agency is also working to implement DevSecOps, which essentially ensures that security is introduced early and often into the application development cycle.
These aren’t just nice-to-haves or one-off projects, but efforts that are part of a larger strategy to modernize FEMA’s legacy technology.
“I have a lot of legacy,” Gardner said in an interview with GovLoop this month. “So I may be able to craft this brand new capability, but then the ability to test against legacy is vitally important because there’s a lot of inner connections and interfaces.”
The Homeland Security Department average for a new system from initiation to actual rollout is a little bit more than 300 days, Gardner said. “If you look at the Netflix or the Ubers of the world, they’re releasing new capabilities in a secure way, real time.”
But the road ahead isn’t without challenges, some of which were recently cited in a February management alert from the DHS inspector general. Gardner could not speak on the matter but did share his current priorities as CIO, how his agency is prioritizing modernization projects, what FEMA is doing to eliminate passwords and more.
In the interview below, Gardner’s comments were edited for length and clarity.
GOVLOOP: What is top of mind for you?
GARDNER: Being a CIO, one of the most important things is to understand the culture of the organization and be able to assess how IT fits into what the agency and organization does. When I first joined FEMA, one of the things that I did, with the support of the administrator, was to ensure that I got out to the field and engaged with the customer base. And we have continued that.
So if you look at going through the 2017 hurricane season, about 85 percent of the staff and resources were deployed, to include my federal leadership. A number of our GS-15s, which are at the government executive level, deployed out to the various sites supporting hurricanes Harvey, Irma and Maria. One of the things that that does is really gives them an understanding of what’s going on in the field and also puts them in touch with the very customers that they serve.
GOVLOOP: So what are your top two or three priorities as FEMA CIO? What’s currently on your plate?
GARDNER: Definitely, one of them is modernization. We have basically three major modernization activities underway: grants management modernization, financial system modernization, and then the last one is looking at the modernization of the flood insurance program. There’s also a fourth one that’s almost like a support piece to all three, which is also looking at how our data is managed. So we have an enterprise data warehouse, but we are looking to modernize that as well to look at how data could be used more as an agencywide asset for real- time decision-making. We have a number of activities underway around our FISMA [Federal Information Security Management Act] scorecard, but also then trying to manage the operational security environment.
There’s a lot going on of just managing real-time security, which has always been a challenge. That is something that I’m always cognizant of, always concerned about, and it will always be a priority for me. I think the last one is then people, having the right people to execute with the right competency skills. The other part of it is we’ve been taking some deep dives into the pool, if you will, on cloud. So we already have a number of applications in the cloud, but we actually this year are trying to roll out a new dev-test environment.
GOVLOOP: Are you looking to use the Technology Modernization Fund?
GARDNER: In my opinion, it’s one of the tools in the tool basket that we have. We’re trying to figure out how that’ll play within our current strategy. The first thing we’re doing is looking inward. How could we do this more efficiently. The administration is in the process of rolling out a new strategic plan. One of those things is reducing complexity around our IT systems and our business processes. Before I think we’d really leverage the fund, I would want to make sure that we completely understood what the de facto end state would be. And we’re in the middle of that now.
GOVLOOP: What other projects are you prioritizing?
GARDNER: We’ve done a lot around modernization coming out of the OPM [Office of Personnel Management] breach, around credentialing and using our PIV cards for access.
We use user-based enforcement to do that. Now we’re taking the next step of moving that toward a modernization for how folks access applications. We’ve wrapped those applications with a single sign-on capability. In other words, getting rid of passwords. We’re close to eliminating all password use, where you have your PIV card and your pin to gain access to a number of applications.
We’ve done that for 76 applications, which we consider to be our high-valued assets. High-valued asset is anything that contains financial information, personally identifiable information, or it’s considered mission essential. The next piece is we’re extending that to what we call PIV I [PIV Interoperable] and then also derived credentials. So PIV I we’re sending that into state and local environments. So what we’ve been doing is through a number of our processes, to include grant dollars, is begin to build relationships where they would have not only physical access to our facilities with their state-issued PIV card, but also access to our system. It’s really meeting the intent of HSPD-12 [Homeland Security Presidential Directive-12].
GOVLOOP: What’s next?
GARDNER: The next thing is that we’re also now looking at derived credentials, which means that now I can take my PIV card and digitally sign from my iPhone. We’re also moving the applications to digitally sign things, and complete day-to-day work processes like travel, approving of acquisitions and signing memorandums. I’d say within the next six months that would be fully deployed.
GOVLOOP: You’ve served as the deputy CIO for IT Reform at the Energy Department. In terms of IT reform, what do you see as the most significant changes between then and now?
GARDNER: Back then, IT reform was all about the lines of business. Those are still alive and well, but we moved from the lines of business where we looked across the portfolios that different agencies had and began to look at how we could then standardize capabilities across the federal government. That’s worked well for a number of years. But I think we’re coming to the point now with cloud and everything else, now I think you see that model may be drastically changed. Now the private sector may be taking on more responsibility for that.
Think about how companies are supporting different agencies, and then who within the private sector is doing that extremely well. How can industry begin to team up with agencies to think about services in the same way? I think there’s going to be this opportunity tfor the federal folks to really talk about how we can jointly identify requirements.
GOVLOOP: Are there lessons learned that you’re applying from the past to ensure IT modernization is successful at FEMA?
GARDNER: I would say learning from others. We’ve been out talking to USCIS [United States Citizenship and Immigration Services]. We’ve talked to NGA [the National Geospatial-Intelligence Agency]. We’ve spoken to Agriculture about how can we learn from some of the things that they’re already doing and apply them here at FEMA. I think the lesson is because you have a challenge or a problem, don’t believe you’re the only one facing it. We looked at USCIS, how they’re running their agile process and how does that actually play into acquisitions. We looked at NGA; we’re having a whole discussion with them about DevSecOps and ATO [authority to operate] a system in a day, real time.
GOVLOOP: What techniques or tools do you use to balance everything that’s on your plate?
GARDNER: I just try to stay grounded. I do a lot of self-reflection. The other piece I would say is that I take a lot of joy in mentoring people. Those are the things that keep me balanced — and obviously family and friends. You have to think about how do you support yourself as a leader. If you can’t do that, then you can’t lead well.