Small agencies, ranging from the Securities and Exchange Commission to the Denali Commission to the U.S. Institute of Peace, are held to the same technology policies and laws as their larger brethren.
The challenge, for many, is how to meet FISMA, FITARA and the litany of alphabet soup of requirements without the hundreds or billions of dollars in funding that the CFO Act agencies enjoy.
Chris Chilbert, the Consumer Financial Protection Bureau’s chief information officer and co-chairman of the small agency CIO council, said a new guide will help these small agency technology leaders fill in some gaps that have emerged over the last five years.
The Small Agency CIO and IT Executive Handbook, released earlier this summer, details a “foundational understanding of responsibilities related to IT” around everything from planning and management to customer service, procurement and shared services.
“No one gets a pass being a small agency when it comes to cybersecurity threats, so the threats that the large agency faces are the same threats that the small agencies face. The sensitivity of the data, the data that you’re handling is often just as sensitive, so you still have the same responsibilities,” Chilbert said on Ask the CIO. “Coming into the role, what the handbook does is lays out a lot of the things that you need to be thinking about when you take that job and opposes a lot of things in terms of questions to ask yourself to help design and plan to figure out what do I need to focus on first. Even if you’re walking into one of these roles and have a technology background, often it’s going to be in one specific discipline. This helps provide a greater sense of what the breadth of things you need to be thinking about, and helps you put together a plan to be able to deal with those things.”
And there are a lot of things every agency CIO must deal with, but Chilbert said for small agency leaders, the load is much heavier of a lift.
Many times these executives are wearing multiple hats, they are the CIO and the chief privacy officer, or they are the CIO and the chief data officer.
Chilbert said typically a small agency technology leader is much closer to the mission, and they are dealing with those challenges as well on a daily basis.
“The expectations that you have deep knowledge across the board are pretty significant. At a large agency, when I’ve been working there, you have executive leadership and different functional roles that you can rely on for some of that depth. In this case in a small agency, you’re going to be dealing with the top leadership on a fairly regular basis in and providing recommendations to them,” he said. “When you look at some of the priorities of this administration or previous administrations regardless of the party, technology is a big part of that and providing a good customer experience to the citizens of the country and expectations are increasing.”
Learning from each other
He said another driver to develop the handbook is as responsibilities and requirements continue to evolve and increase, small agency CIOs need to know where to look for help, including taking advantage of shared services.
“One of the things that we also wanted to make sure is that the government isn’t trying to solve the same problem 100 times. We have to learn from each other. So we are trying to use this opportunity to create and continue to build the community of small agency CIOs and connecting them the larger federal IT community,” Chilbert said. “Zero trust is a great example of that. It is on the surface very simple, but in practical terms, it is a little bit more complicated. One of the things that we found is certain agencies were out in front and been able to make some progress. We were able to help connect some of the folks that have had some success in that area with those that were still in the early stages.”
At CFBP, for example, Chilbert said he is moving most of his security operations center (SOC) to the Justice Department’s shared service. He said with about 20 agencies using the DoJ service, it just makes sense for CFPB to get on board.
“When we did an analysis and we looked at the capabilities they had versus our capabilities and trying to improve what we already had from scratch, it was a very cost effective way to go about doing that. It was somewhat of a no brainer to be able to go down that route. We talked to other agencies that were using it and they were very happy with it,” he said. “We found out about that through the Small Agency CIO Council and that was helpful. There are other services which helped implement the zero trust through that shared service, so that’s what we’re all using, so in addition to the SOC-as-a-service. The Department of Justice has a service that’s called JETS, the Justice Edge Trust Services, which effectively implements some of the network aspects of zero trust.”
Handbook was an interagency effort
Chilbert, who joined CFPB in late 2020, added he hopes to get those two services in place for CFPB by the end of December.
Chilbert said how to use the Technology Modernization Fund (TMF) to help get money for IT modernization projects is another example of where the handbook can educate and inform small agencies.
The TMF Board awarded funding to several small agencies over the last few years, including the National Transportation Safety Board in July, the Railroad Retirement Board last December and the U.S. Agency for Global Media in February.
The Small Agency CIO Council worked with the General Services Administration’s Office of Governmentwide Policy to develop the handbook starting in the summer of 2022. Chilbert, along with co-chairman Tony McDonald, who is the CIO at the Office of Management and Budget, sat down with various small agency CIOs and others from GSA OGP to gather feedback and comments of different drafts of the handbook.
Chilbert said the council wants the handbook to be a living document. It will be updated as new policies, regulations and trends emerge for CIOs and the federal community more broadly.
“Some of the other things that we are thinking about is how do we continue to build the community, and how do we continue to communicate as new requirements come out? We have to start to estimate the dates that come closer to implement some of the memos and other aspects of things like the cybersecurity executive order, just to make sure that we are sharing as much information as we can,” he said. “We also will try to bring together folks that are managing either governmentwide programs or governmentwide shared services and introduce them to the CIOs in the community. We want to do more of that. We are just one of several subcommittees for the Federal CIO Councils, so one of the things I think that we will be looking at doing as well is to start connecting the small agencies do some of that work as well since there’s a lot of good work going on across the board.”