EXIM Bank addresses nuts, bolts of IT modernization

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Ask the CIO’s audio interviews on Apple Podcasts or PodcastOne.

The Export-Import Bank of the U.S. received an unusual report from its inspector general. Auditors praised the agency’s efforts to modernize its infrastructure and deploy new systems.

Howard Spira is the chief information officer of the EX-IM Bank of U.S.

Howard Spira, the chief information officer of EXIM, said he focused the agency on the nuts and bolts of operations and maintenance to create this successful approach.

“We’ve been focused very much on ensuring our portfolio is state of the market, and we are approaching it in state of the market ways,” Spira said on Ask the CIO. “Unless there is something that is very special about it, we ought to be able to take care of a large part of our infrastructure portfolio with commercial off the shelf or potentially government-off-the-shelf (GOTS) software. If we don’t need to do something that is bespoke or special, then we shouldn’t be doing that. I think bringing that clarity of vision was one of the first things that we did and then we just focused on execution.”

The inspector general said in September 2017 that agency managers “who rely upon IT systems report that significant progress has been made and are encouraged by the plans for new systems and more functionality.”

Closing the maintenance and operations gaps

Spira said when he took over as the EXIM Bank CIO in December 2014 several of the pieces to improve the governance, operations and maintenance of the infrastructure were in place. The challenge was moving his office faster to close the gaps.

“What are the budget issues? What are the personnel issues? What are the procurement issues to move these ideas into action,” he said. “A large part of that was moving from on-premise capabilities to cloud-based capabilities, moving from installed software to platform or software-as-a-service.”

One of his first projects was to complete the Bank’s move from hosting and running a financial management system general ledger to one that resides in the cloud.

Additionally, the EXIM Bank moved its email and collaboration capabilities to the Microsoft Office 365 cloud.

“We started into a lot of these things, but had not focused on the close out and execution that you need to turn it from just a cloud offering to a successful cloud deployment,” Spira said.

Spira estimated that between 60 percent and 70 percent of the Bank’s IT portfolio is in the cloud.

“There are other pieces of our portfolio that we have targeted to moving out to the cloud,” he said. “For example, right now from a continuity of operations perspective, right now we do COOP with another agency and pay them. That seems like an easy target for the cloud. We have some other activities in the tape and back-up management that seem like easy moves to the cloud. In the security space, particularly in the audit logging and log coordination, that is moving to the cloud.”

He said as more and more applications and services head to the cloud, how do you do security on-premise any longer?

In fact, EXIM Bank is among the first group of small agencies to pilot the continuous monitoring-as-a-service under the Continuous Diagnostics and Mitigation (CDM) Program from the Homeland Security Department.

“We are part way through the initial implementation, but haven’t started yet,” Spira said. “We established the physical connectivity between us and the DHS hosting environment for the CDM tools. We will have a series of meetings in next weeks and months around how to implement the service.”

The Bank’s cybersecurity efforts is one area where auditors found problems.

The EXIM Bank’s 2017 Federal Information Security Management Act (FISMA) report found mixed results around the maturity of capabilities. The IG said the agency needs to improve areas like configuration management and information assurance monitoring.

Spira said he’s using the broad push for IT modernization to move away from legacy technology, including some systems that are 20 or 30 years old.

“We’ve been able to do some re-platforming so we are not carrying the legacy hardware. Through virtualization, we are able to move off the old hardware, but the software is long out of support,” he said. “There are a couple of key components that we are focusing on. We have a manically focus on ensuring our on-premise  environment is working with the state of the market hardware, operating systems and software. If we don’t have the nuts and bolts of configuration management, patch management, vulnerability assessment and monitoring, you are nowhere in cybersecurity. Even today with all the sophisticated things being done, most cybersecurity problems come back to basic hygiene issues. So we have a big focus on basic hygiene.”