As the Transportation Department’s chief information officer, Richard McKinney saw the Federal IT Acquisition Reform Act (FITARA) as a golden opportunity.
McKinney, who left DoT after three years as its CIO at the end of the Obama administration, said he was a big fan of the law because he needed it so much.
“I needed it to accomplish some of the stuff I wanted to accomplish at DoT,” McKinney said in an exit interview on Federal News Radio’s Ask the CIO. “The first time I think I put the FITARA hammer on the table was during the cyber sprint after the Office of Personnel Management hack. [Federal CIO] Tony [Scott] put out this pretty strong directive that we were going move 100 percent of our privileged users to two-factor authentication and a pretty high target for non-privileged users, like 90 percent. DoT was down toward the bottom of the list. We were way behind and we made progress. We started but the timeline we were on was not going to get us done to meet Tony’s timeline, especially at the FAA. They had plans to do it, but their plans carried about a year or year-and-a-half out. So I, using my FITARA authority, I talked to the secretary and deputy secretary about it and they said, ‘you know what 100 percent means?’ I said, ‘yes.’ So I put out the directive that all privileged users will get two-factor authentication by that date or as CIO I will take their privileges away and take them off the network.”
Over the next three months, DoT made progress with only one small office not meeting the goal.
“I had to suspend one small agency for a weekend because they didn’t get done in time. We said no exceptions will be made. We took one of our authenticated, privileged users and gave them responsibility over the 10 who hadn’t gotten it done,” he said. “We kind of Band-Aided it through the weekend and it turned out okay. I meant what I said and I had to act.”
McKinney, who served on the OMB executive working group and helped develop the FITARA implementation guidance, said by using the FITARA authorities, it sent a message to the executives about how seriously he was taking the law.
In addition to the cyber sprint, FITARA came in handy during the fiscal 2017 budget process.
McKinney said he depended on his relationship with the budget office and DoT’s CFO.
“They educated me about how the budget process works and how they could interject me into that process so that I can fully exercise my FITARA authority,” he said. “I put out a memo that said until you [component agencies] file a spend plan with the [CIO’s] office — I’m moving now from budget to acquisition—every year about how you will spend your money, what projects you are working on and bring us up to speed on that that, if we can approve your spend plan, then you can execute that spend plan without asking us each time. The memo said you can’t spend money until you do.”
McKinney said that memo now is part of the DoT’s budget process requiring component CIOs to file spend plans for the year within 60 days of Congress approving the budget.
“That was a real change and based on FITARA,” he said.
The House Oversight and Government Reform Committee’s FITARA scorecard didn’t necessarily reflect McKinney’s view of the progress. The committee and the Government Accountability Office said DoT earned a “F+” in November scorecard, including an “F” for CIO authorities.
Federal CIOs have said publicly and privately that the FITARA scorecard doesn’t necessarily represent the progress they are making.
McKinney said he wasn’t as successful in using the law’s authorities to have a bigger say over the component level CIOs.
“I had a number of CIOs in the department, very capable people, but they weren’t full-time CIOs nor was it their background. It was a hat they wore, but not necessarily their background,” he said. “With the increased importance of information technology in all of our businesses, I felt it was important to move to where we had dedicated, full-time CIOs that only had one set of responsibilities.”
McKinney said he ran into a lot of human resources resistance and complexities.
McKinney said it was important for each one of DoT’s bureaus to have someone, with the title of CIO or other title, who could lead the technology discussion in terms of how it impacts the business of the agency.
“I felt like the department would be at its strongest if each of the operating administration had a dedicated full-time CIO who had a background in IT who then could make sure technology was properly integrated into that operating administration,” he said. “As hard as I tried to get that across the finish line when I was there, I came up a little short.”
McKinney, however, didn’t come up short in transforming DoT’s IT infrastructure.
During his three-year tenure, DoT went from not knowing all the devices on its network or the network boundary to having a full inventory of more than 1,000 devices and improving the network to begin moving to the cloud.
McKinney said he turned to two vendors, Decisive Technologies and Riverbed, to provide these network discovery and improvement services.
“What I did with Decisive was say, ‘if DoT was brand new and we brought you in there to design the network from day one, what would that network look like?’ Once they determined that, I wanted a migration plan from the as-is drawing to the future state and could you map that out for us step-by-step?” he said. “We can’t close down the network to make these improvements. These improvements and changes would have to be staged over a long period of time and done in the right sequence and properly coordinated with a lot of other things. That is what Decisive did. They gave us a project plan that will allow us over these next few years to change the network to be the kind of network that it always ought to have been.”
McKinney said the next DoT CIO can follow this plan to continue to strengthen the agency’s IT infrastructure.