For FEMA, cloud services are a lifeline to disaster survivors.
There may be no better uses cases than when a hurricane or tornado strikes and FEMA must scale up its grants management or flood insurance program to tens of thousands of users in a matter of hours.
Lytwaive Hutchinson, the outgoing FEMA chief information officer, said the scalability and flexibility of cloud services along with the innovation from providers means the agency continually adapt to the changing needs of citizens.
“Our goal is to, by the end of this year, have at least 50% of all of our systems and services that are cloud ready to be moved into the cloud,” Hutchinson said during a recent panel sponsored by ACT-IAC, an excerpt of which was part of the Ask the CIO program. “I’ve had conversations with some vendors and some folks about lift-and-shift, lift-and-shift is my last resort. That is not something that’s viable. My first look is to take capability and actually either modernize them and/or move them into the cloud because they are cloud ready or if they are not, then they should remain on-premise.”
Hutchinson, who announced in March that she is retiring from federal service after 41 years, said some systems are better suited to remain on FEMA or Homeland Security Department data centers, while others systems are ready today or could be ready in the short term.
“We do have upwards of, I think, 53 systems that are cloud ready so that will be 50% of 53 for this fiscal year. We have another set of systems that are not cloud ready and will have to go through a modernization phase,” she said. “Our goal is by fiscal 2026 to have all of our systems and services in the cloud. That is inclusive of our financial systems. We will address each of our systems on a case-by-case basis.”
She said this IT modernization initiative must be part of how FEMA does business every day and responds to every disaster. This means the services must be less about the greatest and latest technology and more about ensuring citizens have access to FEMA’s services whether they have internet connections or not.
“Our goal is to ensure that our services do not become obsolete by just adding on a building on to current technology, but embracing new technology as that technology availed itself,” Hutchinson said. “You also heard us talk a little bit about our theme for this year, which is delivering digital equities. I know it’s a really nice little catchphrase, but it really does mean something to us. It is about delivering equity to our IT partners and to our citizens to be able to access being this data, not just access it, but access it securely. We also want to make sure that we are taking care of our disabled community, and that we’re ensuring that our systems, our services, our websites are ready for them to also be able to utilize. We have a lot going on across FEMA as it relates to systems and services that we would like to deliver to our partners and to our citizens to be able to take advantage of the capability that FEMA brings to bear especially during the time of need in a disaster.”
Securing software earlier on
One way FEMA is taking on this challenge is through a “secure by design” approach to developing new services.
Greg Edwards, the FEMA chief information security officer, said this is how the agency brings security closer to the acquisition process so they address potential and real vulnerabilities on the front end of the development phase.
“We spent a lot of time in terms of zero trust with our users and thinking about how they access our services and devices in a protected and a secure manner. In that area, we’ve made some improvements in terms of how we control our mobile devices and made some modernization in the network and in the applications,” Edwards said on the panel. “In terms of our network, we’ve done a heck of a lot of modernization of the assets themselves. That’s all about our journey to our FEMA enterprise cloud. Then there is the data from a cyber perspective, where we are focusing very heavily on data being encrypted at-rest, and also data being encrypted in-transit.”
The move to the cloud and the focus on zero trust is forcing FEMA to rethink more than just their internal protections, but also how the public must access the data and applications.
Edwards said this is where the secure-by-design framework comes in.
“What that is going to allow us to do is closely align our system development lifecycle with the acquisition lifecycle. So step-by-step, we’ll be looking at cyber activities from when you’re doing some software development to when you’re doing some critical design testing to when you’re implementing to when you are decommissioning the system,” he said. “We think this framework, secure-by-design, will be helpful to govern our overall processes and help us tighten the reins in that area.”
Through the secure-by-design approach, Edwards said FEMA is fixing vulnerabilities faster, reducing the cost of security and improving collaboration between the technology and mission areas of the agency.
Getting governance right
The biggest impact of secure-by-design, however, may be in how the system operates to serve the mission and citizens.
Edwards said by looking at problems more holistically, FEMA can ensure changes or updates don’t have downstream effects that may make one element less secure or more complex to use.
“We’re at the governance point still, and then we want to communicate the governance framework to our governance board so we get the buy-in from the whole community about the concept and methodology. We want them to have a good understanding of it before we start saying that we’re actually implementing anything in that regard,” he said. “But in our business, we’re always working in parallel. We’ll be partnering with our major programs so we do some prototyping, some understanding of some of the impacts of actually implementing this, and getting to a goal of ongoing authorization and things of that nature. While we work on the governance, we’re also working with programs to prototype how this would actually work. By the end of this year, we would expect to have our governance process solidly in place, and my boss has asked me to make sure that I have about three processes that we’ve fully implemented by the end of this year as well.”
Edwards said there are nine processes within secure-by-design and FEMA is looking at three of them, such security planning to auditing.