When Ryan Cote walked into the Transportation Department last March to be its new chief information officer, he had a pretty good idea of what to expect.
Cote came to the job on the recommendation of the previous CIO, Vicki Hildebrand, and brought a similar private sector background.
Now six months later, Cote said he has pushed forward many of the same priorities and projects that Hildebrand started a year ago, starting with the goal of IT centralization.
“We are in year one of a three-year plan to centralize all of IT. When we are successful at the end of 2021 or so, the modes’ IT will all reside in the office of the CIO,” Cote said on Ask the CIO. “We will manage every system. We will manage the networks. We will manage all help desks, project management and dev/ops. It will all fall under the CIO’s purview as opposed to the modes. It will not only increase efficiency and save money, but also to increase the security of the systems, modernize them because it’s really, really hard to manage this many people and this many systems, and it’s even harder when you have nine CIOs in each mode doing their own mission on their own strategy.”
Historically, Cote said the headquarters’ CIO office has been more of an oversight office, but now will get into the business of IT by standing up a project management office and a group to run application development. In the end, he said the CIO’s office will run all IT across the department, except for the Federal Aviation Administration.
“It’s going to be a joint effort between DOT and contractors, who manage almost 90% of the systems today,” he said. “We will work with them to figure out where we prioritize the applications modernization. That is always the hardest part. Which goes first and why—is it a risk-based assessment, a cost-based assessment or a legacy debt maintenance assessment? It’s a balance often between all of those different equations. What we have to make sure we do at the office of the CIO is not impact the mission of the modes.”
Cote said the IT centralization focus is part of the broader reshaping of how the agency manages and uses technology through the nine BHAGs—big, hairy, audacious goals—that focused on everything from cybersecurity to shrinking the IT footprint to implementing intelligent software. DOT has a $3.7 billion IT budget, with 78 percent of all projects on schedule and 68 percent on budget, according to the federal IT dashboard.
“For us, this model focuses on three areas: safety, infrastructure and technology innovation, which not coincidentally is the same mission of the secretary in the department. Her focus is always on public safety, infrastructure of the nation and technology and innovation,” he said. “The nine BHAGs that Vicki laid out, which we’ve largely kept the same, have the same focus.”
In addition to the nine BHAGs, Cote has three other big focus areas, starting with network security and modernization.
Cote said all of these efforts are part of how DOT is cleaning up rogue or shadow IT. When his office did an assessment, they found 20%-to-30% more devices than initially thought.
“After doing that assessment, we have to pick a standard. We have to get modern. We have a Cisco-based solution and we would love to get as standard and as flat as we can be on the network. It helps with everything from management to patch management to security. The flatter the network, the fewer different devices you have, the better when it comes to rolling out updates, locking it down and securing it,” he said. “We still are fighting a little bit of the battle of shadow or rogue IT, of things that are out of spec. We have a standard we have set that says ‘if you are going to be on the network, you must at least have this minimum requirement of a device, a level of security, a level of encryption or a level of you name it.’ In some cases, we still have not been able to remedy and replace all of it because some of these are mission critical that you just can’t disrupt. We have to take a very careful measured approach to how we replace network equipment as we go.”
Cote said once that network standardization and cleanup is done, DOT will modernize its network operations center (NOC) to have “good eyes” on the network to address security threats and vulnerabilities. His goal is to have a predictive and highly adaptive NOC.
“Once we know the network is locked down, we know we can manage it and we know what’s going on, then we can begin to modernize everything else that runs on that network,” he said.
As part of getting ahold of the network, Cote said through application rationalization DOT will reduce, consolidate and modernize some 3,500 applications.
Both of these efforts underpin the third area of cybersecurity.
“We will figure out which [applications] simply can’t be patched or modernized. We have so much legacy debt that we just can’t get them up to a point where they will pass a cybersecurity audit. They are just so old and the amount of time and money we’d have to throw at them isn’t worth it. We are better off replacing them with a modern system,” Cote said. “The application will fall into three buckets: those that are good today, those that are not good, but we can modernize and fix and get to a level of acceptance, and those that are simply unacceptable and we must either eliminate or replace.”
Cote set up an application rationalization group that includes every mode to determine priorities based on need and mission.
“My focus, primarily, is on cybersecurity. We have to look at those systems that are the most vulnerable today, the high value assets. We have to form some sort of criteria by which we measure and ultimately come up with a prioritized list. For us it begins with HVAs, then mission critical and then those that are at risk from a cyber perspective, and it all rolls downhill from there.”
The first big lift is around grant applications. DOT currently has nine different ways of giving out grants that use 60 different systems.
Cote said he is working with the modes to develop, through an agile approach, a new centralized grants management system.
“We currently have an enterprise grants solution pilot being run in the Maritime Administration and by the end of the year we will hopefully have proved that the pilot worked. Then in the next year or two or three, we will begin to transition all of the modes into this grants management system and eliminate those 60 or so systems and have one grants management system for all DOT. That is only one function,” he said. “There are 100 more things like that, that we need to do.”