When Nick Ward arrived at the Drug Enforcement Administration in December 2021 to be its chief information officer, his challenge wasn’t convincing the mission areas to modernize technology. Rather, he had to convince his own staff that it was time to move on from the legacy technology.
Ward, who joined DEA after spending almost three years as the Justice Department’s chief information security officer, said there was some fear and hesitancy to use cloud services.
“The mission owners really don’t have a big opinion on cloud versus not cloud. It’s really bringing along my staff and the culture of putting data into a cloud that is somebody else’s system. It just sounds scary, right?” Ward said during the Federal News Network Cloud Exchange 2022.
“It’s really having more of the conversations with teams that are building the technologies and talking about how this is going to have multiple benefits,” he continued. “One, it’s going to benefit your career personally because we’re going to get you in a place where you’re really good at doing cloud securely.”
Ward credited his CISO experience as benefiting him in these conversations because people recognize that his perspective is steeped in security. “That brings with me some credibility and some trust when I talk to business leaders that I’m not just going to go into these cloud systems in a ‘gung ho’ type of way that’s going to be dangerous.”
Coming from headquarters also helps Ward understand the culture and technology challenges of the agency. And maybe just as important, he said the support from DEA Administrator Anne Milgram has been critical to bringing the mission areas into the fold.
“We got to go into this not being afraid of new technology, not being afraid to use it. We do have to understand how it works and how to do it safely,” he said. “So bringing in that background has really helped me a lot. That background has also really helped me in the way that a CIO has to be really close to the mission, really understand why we need all these different kinds of resources. Having that kind of background also has helped me to really look at these not just as IT systems. We don’t do email just to do email. We’re doing all this technology to help us complete the mission of the Drug Enforcement Administration successfully.”
Early priorities on the job
Over the last nine months, Ward’s top priority has been creating a big data platform and a mission operating system in the cloud.
Like most law enforcement agencies, the DEA collects a lot of data and currently the information resides in siloed applications, he said.
“It’s a challenge for our agents to be able to use that data to do what they need to do to run successful investigations in some cases. So we’re pulling that together. We’re making sure we have the right security controls, the right governance around that data in a single type of platform,” Ward said.
Alongside that focus, there’s a need to modernize the agency’s case management system. “We want to make it a differentiator for how DEA attacks our mission,” he said. “We can have different views and different ways that a DEA agent versus an intelligence analyst might log into the system, how they access data, how they analyze data from a common platform and that is customizable.”
The goal is to make it easier for users to log in and use the system because of the governance, underlying infrastructure and applications that run on the platform. DEA is reviewing different commercial products, some of which will be in the cloud as software as a service. Ward said he expects to take advantage of the major cloud providers available mainly through existing Justice blanket purchase agreements.
“We’re evaluating other low-code, no-code solutions to help speed up development of our workflows and things like that,” he said, adding that DEA also is connecting with partner law enforcement agencies that have similar projects in the works. Although the case management project is in its early stages, “we are looking at vehicles that are in place, so we can move quickly because we do need to try to do this as fast as possible,” Ward said.
Ward is leaning on relationships created as the former Justice CISO to beg, borrow and steal from the FBI; the Bureau of Alcohol, Tobacco, Firearms and Explosives; and the U.S. Marshals Service for things like data lakes, case management systems and whatever software code they can share. He said his team also is meeting with agencies within the Department of Homeland Security and across government seeking out lessons learned and knowledge about technology usage.
“We’ve got some proof of concepts actually in place today for certain assets, like on the data platform side. We really want to have Version 1 within a year, so we want to have a usable platform,” Ward said.
Future-proofing projects from the get-go
Agile development is playing a critical role as well because these initial priorities are what Ward deemed “forever projects.”
“We’re always going to need case management, and it is always going to need to be modernized and have new capabilities,” he said. “How can we stay on the leading edge? We’re going to be pulling in capabilities from these other systems. We’re focused on creating service layers so when we do develop some custom application for whatever reason, we’re putting in the right kinds of things to have a layer where that’s reusable across all of our applications. If we create a deconfliction application, that should be usable from a mobile app or it should be usable from our web user interface that we provide to our agents. That’s the approach that we’re taking.”
Underlying the big data platform, the case management system and all other modernization efforts is DEA’s cloud-based identity and access management system.
Ward said cloud-based IDAM makes adopting SaaS applications easier to secure.
“We’re just really getting started on the infrastructure side. We had small amounts in infrastructure services like AWS and Microsoft Azure, but we’re moving much more aggressively on that now,” he said. “We’re really starting out by building our continuous integration, continuous delivery (CICD) pipelines to make sure that we have the right processes in place as we move things to the cloud.”
Although DEA has just launched its agile development processes, it’s not starting from scratch. It’s looking to level up quickly by learning from other federal law enforcement agencies that are farther along in developing CICD pipelines.
Ward’s team has talked with folks from the DHS Customs and Border Protection directorate about their pipeline, as well as borrowed Justice headquarters’ automated authority to operate service for CICD pipelines.
“It is relatively new for DEA, but there’s a lot of expertise and a lot of things that we’re bringing to bear to be able to speed that up for DEA,” Ward said. “What Justice did was they built almost a platform as a service. They took technologies like Terraform, Ansible Tower and things like that to automate the implementation of security controls.”
He’s particularly excited by DOJ’s efforts to write and implement Federal Information Security Modernization Act controls as code, which he expects the many agencies in government might eventually want to adopt.
“They essentially said how can we automate the checks of all the security controls that have to happen?” Ward said. “They’re doing it in a way that is subscribable, so that if they keep it up to date, they can push it out to DEA, for instance, as a subscription of sorts. I think they would certainly welcome a customer to deploy their applications into their platform as a service environment.”