Congress may not meet the Office of Personnel Management’s full funding request to improve its IT infrastructure. House lawmakers would allocate about $18 million out of the $37 million the agency asked for in fiscal 2018.
But before OPM can confidently use that money to complete the modernization of its networks, it’s missing one thing: a more secure cloud infrastructure from its vendors.
Dave DeVries, who retired after 35 years in government including the last year as the chief information officer at OPM, said in an exit interview on Ask the CIO that the current state of OPM’s IT security and modernization strategies are in a solid place in the two years since the major cyber breach that exposed the data of more than 21 million current and former federal employees.
“Right after the events of 2015, we set out a strategy of mitigate, take care of the security problems we had identified at that time, then it was modernize and applications,” said DeVries, who now is the CIO for the State of Michigan. “We are well underway with that. This past year, we have closed down four of the nine data centers, and three other ones are marked and we are in the process of doing the final plans for those things. You will see more of those in the next month. That is a huge thing. If you don’t know where your assets are, how can you really protect it and what kind of money are you putting toward it?”
DeVries said the goal of the data center consolidation and infrastructure modernization was to finally move the applications up there. He said they were modernizing the infrastructure and that their effort was helping to reduce the complexity of what OPM operates, maintains and defends.
Back in 2015, OPM was calling its IT modernization infrastructure effort the “Shell,” but DeVries said not only is that name no longer used, but the entire effort has evolved.
“We have gone through and know where our boundary lines are for our networks, and have then all protected in-depth all the way down to the data level. So I have a strong cybersecurity where I know what I got and know how to protect them,” he said. “We will continue to fine tune that as I decrease the number of compute centers where the data is stored at. It only gets better with time. I can also put more money into the disaster recovery or the automated fail overs if something becomes unavailable.”
DeVries said several applications and data are in the cloud, but before OPM can comfortably move a large number of its systems to a commercial cloud, it needs to meet the high security baseline under the Federal Risk Authorization and Management Program (FedRAMP).
“We are working hard toward that. I’m thinking by end of this calendar year we might have something for us,” he said. “It’s not hard about the technology, it’s hard because that’s important data that belongs to the government and I’m not just going to stick it out there.”
Currently there are three vendors with four services rated high under the FedRAMP program, including Microsoft, CSRA and Amazon Web Services, and there are two others going through the process.
DeVries came to OPM in September 2016 after spending his entire career in the Defense Department. One of the reasons DeVries made the move was to help stand up and develop the technology with DoD of the National Background Investigations Bureau (NBIB).
The NBIB reached full operating capability in October 2016, but new technology infrastructure to support the security clearance process hasn’t been launched or remains in the test phase. The NBIB currently is facing a backlog of more than 700,000 cases.
DeVries said the NBIB has done a business process reengineering effort that is being implemented to move toward continuous evaluation process.
At the same time, DeVries said OPM has made more targeted improvements to the current NBIB systems to address the ever-evolving threats. One major change is obtaining a better understanding of the data flows and exchanges across government and with private sector companies.
“That needs to be brought into the National Background Investigative Services and in that system is a capability, how do I vouch to something that is not continually looking at a person’s environment and is there something that happened to Dave DeVries that maybe we should put a closer eye on him or have investigators go into the field and look at some things there instead of treating everyone the same way? It is about changing that paradigm,” he said. “In the past few months, we have made good strides in understanding what the data feeds and processes might be in there.”
He said no technology has been moved to DoD so far. Instead, the OPM expects to launch the initial capability for continuous evaluation by next September.
“One of the things I did change was when we let the new contracts for the four companies to hire investigators. The old way of doing business was the companies would stand up their own networks and I would certify that network, and investigator Smith would work on a case, but he would own that case on his laptop on the company’s network. That is no more,” DeVries said. “They will use a laptop with my configuration on it. I make them check in and nowhere can they move the data back to the company’s network, it stays on the government’s side of the house. That is a huge change and it’s starting to work out well.”
Another major challenge for OPM has been around modernizing the retirement system.
DeVries said OPM has another process to look at how to upgrade the effort, but it’s not simple because of all the data feeds coming into the database.
“I’m not necessarily looking for the contract and RFI that goes out that says I need a large scale integrator. I want this capability that could be a series of smaller businesses that can do it and if I can break these things up and get some of these agile deployment teams in here and show the piloting because I can scale out of these things after that.”