Hacks, CDM continue to push cyber to forefront of CIOs’ priorities

The Customs and Border Protection directorate in the Homeland Security Department is taking a two-pronged approach to protecting its systems and data in the cloud.

First, CBP is relying on third-party audits of cloud service providers through the Federal Risk Authorization and Mitigation Program (FedRAMP). Second, it’s sending its own staff of experts in to audit how vendors protect systems and government data.

“We are making sure the right procedures are being followed, diagnostic tools are being monitoring, there is a good accounting of security events and/or attempted security events, and also ensuring that data is not kept for periods beyond what the contract calls for. Say if data is supposed to be deleted after five years, we go in and ensure there’s not data that’s still sitting out there,” said Charlie Armstrong, CBP’s assistant commissioner for the office of information and technology and chief information officer, in an exclusive interview with Federal News Radio. “It depends on the situation for us. I anticipate we will be using a combination of both some internal, organic capabilities to do those audits and asking certain vendors to use third party auditors.”

CBP’s focus on cyber in the cloud and really across the board follows the ever-growing trend across government.

Now more than ever, federal chief information officers are paying more attention to cybersecurity.

Whether it’s the recent spate of attacks against commercial companies from Home Depot to Target to JP MorganChase, to the recent challenges brought on by vulnerabilities such as HeartBleed or Shellshock, or the ongoing push to implement the continuous diagnostics and mitigation (CDM) program, CIOs overwhelmingly in a new exclusive Federal News Radio survey say cybersecurity — not surprisingly — remains a top priority.

Federal News Radio surveyed more than 150 federal CIOs, deputy CIOs and other senior IT managers in September, and received a 20 percent response rate. This is the third annual CIO survey.

Respondents ranked security their agency’s systems and data as their top priority with an 8.56 out of 10 ranking. The next two priorities — moving back-office systems to the cloud and using IT to ease budget pressures — received just over a 6 out of 10 ranking.

While CIOs agree that cybersecurity is a top priority, there is less agreement on which initiatives have had the biggest impact over the last decade. When asked to rank nine different cyber initiatives ranging from continuous monitoring to Homeland Security Presidential Directive-12 to information sharing, CIO and deputy CIO respondents ranked six of the nine as highly impactful, but none really more so than others.

When it comes to CDM, 58 percent of the respondents say it’s just another tool in the toolbox, but 80 percent say it will improve their agency’s cybersecurity.

“CDM is one step in an ongoing process of evolution,” commented one respondent.

Another said CDM will help “by reducing resources unnecessarily spent for binders that serve no end.”

Armstrong said CBP sees one of the biggest benefits of CDM is staying ahead of zero day attacks through a better approach to patch management that is timely and dynamic. He said CDM also will help with CBP’s inventory of systems, knowing where they have hardware and software and what needs to be done to it to mitigate risks is a huge step forward.

In the survey, CIO and deputy CIO respondents say better patch management and improved workforce training are the two things today that would improve the cybersecurity of their networks.

Besides cyber, CIOs are spending a lot of time figuring out the best way to deploy cloud services.

A majority of the CIOs and deputy CIOs say they’ve moved email and collaboration services to the cloud, and 48 percent say hosting public websites was the next most common use of the cloud.

CIOs and deputy CIOs are using a government-only commercial cloud and a truly commercial cloud for most of these services.

At CBP, Armstrong said they are using a government-owned, government-operated cloud, but would like to eventually move to a government only commercial cloud. He said it gives the agency a high-availability, high-capacity data processing functionality it needs.

CBP jumped on board early to take advantage of DHS’ email-as-a-service offering, and is looking at its options for platform-as-a-service.

“We’ve been reworking our architecture and replatforming our systems. We were a heavily mainframe-centric shop probably three or four years ago, and since then we’ve been working to get out of that architecture and into our common architecture that we would be able to use across all of our platforms and is a leapfrog into cloud,” Armstrong said.

Armstrong said the goal is to finish re-architecting CBP’s systems and applications in the next few years. He said that effort is slowing down CBP’s move to the cloud.

While there remains a lot of work still to modernize its systems, CBP is taking some incremental cloud steps. Armstrong said over the next year or so he hopes to bring to major mission-critical apps into the cloud.

“Our two big systems are our Automated Commercial Environment (ACE) and we are reworking our old legacy mainframe system into a cloud architecture. We also are modernizing the processes, how cargo gets cleared, how duties get collected, that’s all going through an overhaul and is currently scheduled to be completed by 2016,” he said. “The second one, and this is the bulk of our data, is the TECS system, which houses the data for all of the passenger processing, folks coming across the ports of entry. It’s a real quick turnaround in terms of someone coming across the border and having to give the officer information for them to make a quick decision and analysis. That also was a very heavily mainframe based system and we are moving to the cloud architecture.”

CBP’s look to mission or agency-specific apps once again matches up well with what other CIOs are saying.

In the survey, 48 percent of the respondents listed moving agency-specific apps to the cloud as being next on their list, with customer service software, email/collaboration and public websites also high on their agendas.

Interestingly, respondents overwhelmingly said a government-only, commercial cloud is where they are heading in the next year as well.

While cloud and cyber are two of the biggest focus areas among CIOs, big data and mobile computing also are getting a lot of attention.

Survey respondents say better analytical tools and data standards are the two most common approaches to addressing the big data challenge.

Armstrong said CBP has faced a huge data deluge over the last five years. He said the amount of data the agency manages increased to 17 petabytes from 6 petabytes over the last five years.

He said CBP also has seen a huge increase in the demand for its data, with queries increasing to 58 billion a day up from 14 billion a day in 2009.

“The ability to process that data, analyze it and use some business intelligence around it is crucial to us,” he said. “As we modernize the database platforms and how we were structuring the servers together, [it] allowed us to increase our ability to process queries by about 23,000 or 24,000 percent, and yes that is thousand, it’s quite a significant increase. So we saw where business intelligence queries used to run in a week, now run in three or four seconds. As you can imagine from a mission user’s standpoint that means they can do a lot more analysis now in much shorter timeframe in terms of trying to find that needle in the haystack is.”

Mobility is one area where CBP differs from other agencies to some extent.

A majority of the CIO and deputy CIO respondents say a bring-your-own-device policy is coming within the next two years, with 33 percent saying within the next six months.

Armstrong said CBP’s move to BYOD may never happen. He said there are too many challenges as a law enforcement agency and in having so many employees working in unforgiving environments.

But, Armstrong said that doesn’t mean mobility isn’t a key aspect to their modernization effort.

“Security is the key concern for us with our mobile devices,” he said. “The types of devices that we use for our mobility, we are trying to structure in a way that lets us manage and secure them. We are using mobile device management tools, mobile application management tools and capabilities that offers us not just the security, but the ability to remotely wipe the device, to track the device and to ensure we don’t have any data-at-rest issues sitting out there.”

Armstrong said CBP also would like to add newer capabilities to mobile devices, such as fingerprint scanners or license plate readers, so therefore they have to figure out how to extend security features to those functionalities.

Overall, CIOs and deputy CIOs recognize the challenges they face.

“IT is a complex issue that continues to grow more complex,” one respondent commented. “The variety and speed of change compound the challenges. Legislation is not the answer. There are unreasonable requests from users who do not understand the security, privacy, infrastructure and budgetary constraints within which CIOs operate. This feeds a dysfunctional cycle that can only be addressed by the top leadership within the organization. He/she must strive to align the demands and resources to realistically address those things that best serve the mission and the American public.”

Another respondent said, “I think there should be a ‘federal CIO substitute’ program. OMB should compile a list of highly respected retired federal CIOs willing to serve as a ‘substitute CIO.’ Before an agency CIO separates from government, the substitute CIO can come in during the last two weeks of the CIO’s tenure and ‘carry the torch’ until the new CIO is recruited and hired. The substitute CIO can help the new CIO get oriented 2-4 weeks after the entry on duty (EOD). The idea is any time period that there is a void in IT Leadership creates dysfunction and inertia. A substitute CIO would have to have nondisclosure agreements and non-compete agreements that make it clear that they cannot compete for the CIO vacancy nor can they compete in ANY way on contracts. The substitute CIO would fill the gap until the new CIO can add value.”

Editor’s Note: Charlie Armstrong also joined Federal News Radio recently for an online chat to discuss these issues and more. View an archive of the chat here.

RELATED STORIES:

CIO’s influence growing around mission, budget, survey finds

CIO priorities zero in on cloud, cyber as budget uncertainty looms

CBP turns inward to modernizing IT infrastructure

Online Chat: Ask the CIO with CBP’s Charlie Armstrong

Comments

ASK THE CIO

THURSDAYS 10 A.M. & 2 P.M.

Weekly interviews with federal agency chief information officers about the latest directives, challenges and successes. Follow Jason on Twitter. Subscribe on Apple Podcasts or Podcast One.

Sign up for breaking news alerts