The Federal Emergency Management Agency is taking a page out of its disaster management playbook to ensure its computers and networks survive a cyber attack.
FEMA recently completed a resilience and security review to better understand its technology strengths and weaknesses.
Adrian Gardner, FEMA’s chief information officer, said with the frequency and sophistication of cyber attacks rising, he had to figure out how best to ensure the agency’s IT infrastructure would survive and continue meeting mission needs.
“We have gone out and looked at all of FEMA’s assets and resources to look at them from a security and resiliency standpoint, to ensure we have thought about not only the current state of those capabilities, but what’s next. That’s something we’ve been doing over the last nine months and it’s a big deal for us,” Gardner said. “That sets the stage to stabilize the environment, then thinking about optimization of capabilities and then transformation. That’s one of the major steps that is allowing us to establish that baseline of the IT across FEMA and then transitioning to meet the unmet needs of the future.”
Gardner said the security and resilience review looks across all of FEMA, not just the IT infrastructure the CIO’s office manages.
“It’s really looking at the FEMA ecosystem from a perspective, strategically, on how we could work together to provide better capabilities and competences from a standpoint of growing our staff to meet the needs of FEMA and our mission space,” he said. “One of the things I’ve come in with is my interpretation of the Clinger-Cohen Act here within FEMA. FEMA is a very decentralized agency. It’s intended to work that way. So to bring in a centralized model for IT probably wouldn’t work here, it would not be culturally where we need to be from an IT perspective. One of the things I’ve been pushing is thinking about openness and transparency of IT. I don’t have to control it, but be aware of it so as a community we can work together to think about the strategic direction going forward from the standpoint of IT.”
The resilience and security review was among the first initiatives Gardner undertook when he came to FEMA in September 2013. Gardner spent more than three years as the NASA Goddard Space Flight Center CIO before moving to the Homeland Security Department’s directorate.
Gardner said he hopes to institute a mantra of “build once, use many” to develop IT systems that could help many different agencies.
He said under the optimization phase, his office will take on the redundancy issues. Then the transformation phase will focus on moving FEMA toward a modern IT infrastructure that is all about meeting the agency’s business needs.
Gardner said looking at enterprise services across FEMA or from the broader DHS enterprise is part of the optimization phase.
“There will be some IT that will be component-specific and some IT we will be able to leverage the enterprise,” he said. “There are some component-specific capabilities that we will have to take on. One would be grants and grants management. FEMA is the largest grantee in DHS, so that will be one of the things FEMA as a whole would take on as a potential enterprise solution or capability that others within DHS could take advantage of or other government agencies.”
One way to ensure there is broad support for all three phases of FEMA’s IT infrastructure modernization effort is through the recently reconstituted IT governance board, which hadn’t met in nearly two years.
He said the board plans on meeting every two weeks.
“The issue of governance is extremely relevant from the standpoint of this model. We have to have strong governance and governance that is timely and value- added when you take on this kind of approach,” Gardner said. “This will be one of the keystones of how we execute. The mission side or headquarters is represented as well as there is a lot of regional interaction. The other thing we are endeavoring to do is that it doesn’t always have to be the leaders that are on the IT governance board, so in other words we need some young folks that can influence and look at issues at a very different way. So we also took the step of having some GS-14s and GS-15s on the governance board because they completely add value and can provide different insights we may not have seen from the standpoint of the graybeards sitting in the room.”
Gardner said part of the resilience and security review is setting FEMA up in the short term to take advantage of mobile technologies and big data analytics.
He said the immediate focus on mobility comes from two factors: most of FEMA’s staff works in the field, and the agency is following the General Services Administration’s workplace model of hoteling and teleworking.
Gardner said over the next three to five years, data and analytics will play an even bigger role in helping FEMA make better decisions and improve how they prepare for disaster response.
He said tackling the big data challenge will be part of the optimization stage of the modernization effort. Initially the focus will be on data standardization and data cleansing with an eye toward using open standards and those already being used in the geospatial community, he said.
FEMA also has several big procurements on the horizon, including the Disaster Management e-government initiative, the Enterprise Applications Development Integration and Sustainment (EADIS), and the Centralized Operations, Maintenance and Management Information Technology (COMMIT).
While Gardner didn’t comment directly on the acquisitions, he said FEMA is in deep discussions with the vendor community and looking closely at service-level agreements and other delivery factors.