The two cyber breaches at the Office of Personnel Management have got the attention of the media and federal managers. It’s also landed on the plates of many chief information officers.
“Everyone in the government is looking at a lot of the same things right now,” Ann Dunkin, the CIO at the Environmental Protection Agency, told Federal News Radio Executive Editor Jason Miller on Ask the CIO. “It’s no secret that there’s a 30-day cyber sprint going on. So, obviously a lot of our attention is focused on looking at those things that are on that list and making sure that we’re in good shape.”
Some of the things on the list can be described as “shoring up the base,” Dunkin said, which means taking care of things that agencies already should be focused on. Other things are aimed at getting agencies to think differently about cybersecurity.
“We’ve had some great conversations over the last several months, not just since the breach, about the difficulties of security and the world we live in and changing our way of looking at things,” she said. “Assuming that one can and will get into your network some day, which doesn’t mean you shouldn’t do everything you can to protect it, but you should assume that someone can and will get in your network someday, because it changes the way you think about things.”
This shifting in thinking forces agencies to look more closely at their high-value data and identify what needs to be protected most, rather than trying to stretch the same level of protection across the entire agency. That way, when there is a breach, the most important data will be protected.
“That’s a big difference in the way a lot of people are approaching it,” Dunkin said. “If you talk to some of the big companies out there, many of them have stopped even trying to protect their perimeter. They know that that’s a waste of their time. We’re not ready to give up on protecting our perimeter, but we do know that we have to take care of those high-value things.”
The cyber sprint is a good first step, but it is just a sprint and it won’t solve all of an agency’s cybersecurity issues.
“We can’t think that just cause we did a sprint, it’s going to make a huge difference in our posture or that it’s going to be everything we need to do,” she said. “So the big focus is what’s our long-term strategy? We’ve been in a long-term conversation in the organization with our senior leadership about what we need to do to better fund and support and to change change the culture of how we think about security in the agency.”
Dunkin acknowledged two-factor authentication is a huge deterrent for people getting into a system.
Greg Godbout, the former executive director of 18F, recently joined EPA to head up the agency’s digital services.
“We’re building a team under Greg, but more importantly, we’re also embedding digital services type folks into our organization,” Dunkin said. “So our goal is not to get a group of people who are going to come in, but the fire jumper and jumped into this program, fix it, and leave. Our goal is to embed folks with with these skills into our programs long-term. They will teach the long-term feds about how to do agile and agile procurement, agile development. And long-term feds will teach them about how to work in the government and the challenges and we will have a great partnership.”
Even if at the end of the two and four-year terms EPA doesn’t renew the digital team’s contracts, the remaining employees will have learned those skills.
Dunkin’s first day in her current job was Feb. 23. She’d previously served as senior adviser to EPA Administrator Gina McCarthy.
President Barack Obama nominated Dunkin to be EPA’s assistant administrator in January 2014, but Congress never approved her nomination. She was renominated this year and is serving as the agency’s CIO until that nomination goes through.
Prior to coming to the federal government, Dunkin worked 20 years for Hewlett-Packard and then left for her first public sector job at the Palo Alto, California school district.
“Loved what I was doing in Palo Alto,” she said. “But I had an opportunity actually through the Victory Institute. They asked me for my resume a while ago, and a couple of years later, I got a phone call from the White House. Hard to pass up those opportunities when the White House calls.”
After talking to a few agencies, Dunkin decided EPA would be a good fit.
“Thinking about it, it was an opportunity to impact the entire country, as opposed to just a small part of the country with one school district,” she said.
According to Dunkin, the CIO’s role at EPA is pretty much like that of any other CIO in the federal government. Responsibilities range from ensuring the agency has a good Internet connection to providing staff with needed software to developing and implementing new tools.
“In terms of how I see the CIO role and how I approach it, it’s really coming in and understanding where the organization is and where the organization should be, from a technology standpoint and then charting a path to get there,” she said. “That’s really how I approach that job. You’ve got to get the fundamentals right. The price of admission to do anything else as the CIO is that the trains have to run on time. The network has to be up and running. Email has to work. All those things have to work, and then you have to figure out what else you need to do to make the organization more effective and productive.”
Dunkin revealed that she’s prepared a technology agenda for EPA that runs to the end of the current administration, but it’s only been released in-house.
“We have some stuff that we’re rolling out internally, in terms of what we’re trying to do,” she said. “It’s still only gone out to a relatively small number of people in the agency. But we’ve got a pretty clear path charted for where we want to get during the rest of the administration.”
Just before Dunkin arrived, EPA had completed a multi-year transition from Lotus Notes to Office 365. The next step is to upgrade to the G3 version Office 365, which will increase the agency’s capabilities.
“We’re rolling out pretty aggressive efforts to use SharePoint, and encouraging people strongly to start moving towards the other tools that we have available to us in Office 365,” she said. “We’re actually going to be creating a marketplace where folks can easily get their SharePoint development done. That’ll be one of our tools for migrating our remaining Lotus Notes databases. We still have quite a few Lotus Notes databases. We want to look at those, want to make sure we consolidate similar applications. We want to look at going to existing shared services within the agency or elsewhere in the government, commercial, off-the-shelf software and then SharePoint as our next platform to do that migration for those things.”
She added that EPA seems to be settling into that piece of the cloud, but it still would like to have cloud hosting for mission related programs.
“We’ve done some efforts, but we’re moving towards now, in fact, we’re very quickly ramping up on having our National Computing Center down in North Carolina be a cloud services brokerage for the agency,” Dunkin said. “So, they will basically put together a group of vendors that folks can then use. And they’re going to be the folks who say, ‘You want to host program X. We need to understand your requirements. And then we’re going to tell you, maybe you belong in this cloud vendor A, cloud vendor B, cloud vendor C, or in fact, you should me on premise here or maybe a hybrid cloud, where we have your basic needs on premise, but we have additional capacity in the cloud.'”
EPA is also interested in augmenting its high-performing computing capability with cloud-based capabilities. This will allow it to ramp up from a few hundred processors to a few thousand, and then drop back down as the computing needs change.
“Right now, we’re doing a very simple pilot with existing capability that we have, and then we’re going to look at if there’s a good vehicle out there,” Dunkin said, when asked about if EPA was going to acquire a cloud broker. “Then we’re going to look at whether there’s a good vehicle elsewhere. There are a couple of other agencies that have some vehicles that might work. So, if those work for us, we’ll go there. But if they don’t, you’ll see an acquisition. One would expect it would be a multi-award type vehicle.”
EPA also obtains shared services from others, such as Office 365 in the cloud, as well as services obtained from other government entities, like it’s HR system. EPA also shares services with other government agencies, such as eRulemaking and FOIAonline.
“Those shared services are really one of the foundations for our relationships with the programs in EPA,” Dunkin said. “They use those to help facilitate their communications with the states and the tribes and the regulated communities.”
One of the bright spots in the shared services EPA participates in is the online tool that allows people to access government data through the Freedom of Information Act.
“FOIAonline has been hugely successful,” Dunkin said. “When people look across government about what’s working in the FOIA community, FOIAonline gets a lot of credit for things working really well. For us, making documents available to the public. The system can immediately make documents available when your respond to a FOIA. So, for EPA, for example, we make everything public that we don’t have a reason to make private when we respond to a FOIA.”
Dunkin called its Central Data Exchange (CDX) a cornerstone of EPA around collecting regulatory data.
“It’s going to be a cornerstone for E-Enterprise for the Environment, which is a program that will totally change how we interact with the regulated community, the states and the tribes,” she said. “In CDX right now, we continually are increasing the number of data flows that flow through CDX, and we’ve been doing some great partnering things with CDX.”
Dunkin said EPA has a busy agenda over the next few months.
“Cybersecurity is a big topic right now and it’s always something on our agenda. It always will be on our agenda,” she said. “So, we’ll continue in that vein trying to improve our security posture.”
The other two big areas EPA will be focusing on are digital services and FITARA (Federal Information Technology Reform Act).
“We’ve sort of positioned ourselves as an earlier adopter of digital services,” Dunkin said. “We’re very, very excited about the work we’re already doing with some of our programs and we’re going to accelerate that work over the next few months.”