Before David DeVries left the Defense Department to take over as the chief information officer at the Office of Personnel Management, he sent off a few things that he chose to encrypt because they included his personally identifiable information.
He’s been with OPM since late summer, and he told an audience gathered at FCW’s Nov. 29 Big Issues conference in Washington, that they have yet to unencrypt them — just like he’d hoped.
“That’s to prove a point; this is about information and how do you secure information,” DeVries said. “When I retire I want to have that same ability to do that if I change jobs again. I want my identity to go with me.”
Preservation of PII and other data is at the heart of modernizing legacy IT systems across the government, DeVries said, and especially for an agency like OPM.
“Federal civilian agencies, their whole mission is about information sharing, production, how do you do it,” DeVries said, adding that OPM oversees hiring, payroll, retirement, life insurance and even posthumous records for family members.
“That’s more than records management, that is information management, dissemination, security, protection and all that kind of stuff,” DeVries said. “This is about people, people are what make things happen and this effects the people that are federal employees, they used to be federal employees, they will be federal employees, they will be political employees, they are contractors.”
DeVries said the “conundrum of legacy” is that when you ask to see a budget for legacy IT, or report how many major legacy systems you have, there’s no easy answer. That’s because one system could have multiple parts and multiple owners.
“I’m just a broker of information, so when you say you have to update the legacy, you just now backed me into a corner,” DeVries said.
When an agency CIO is asked to name a legacy system and what it’s going to be replaced with, that’s another corner they’ve been backed into, DeVries said, because now you have to define a requirement, put out an RFP and go through the procurement process — and potential protests — all to end up with something that’s going to be outdated thanks to the time it took to get through the contracting process.
“I don’t want to replace that legacy system, I don’t want to keep paying the bill I am for that doo-dad I have there,” DeVries said. “Now how do I get the applications off there, into something that I can also do cost accounting on it, cost allocation if you will. What is my cost of doing business? How do I drive that back? I think that’s where the federal government today is … how do you look at IT not as a cost center, but how do I incorporate it into the cost business side? I can’t keep looking at my systems and saying I’m going to replace this system with something that looks modern, because it’s the data in and the data out.”
OPM’s Office of Inspector General included modernizing IT as one of the agency’s top internal management challenges.
According to a letter from the OIG, included in OPM’s Agency Financial Report for fiscal 2016, after the 2015 cyber breaches, the agency started overhauling its network infrastructure to be more centralized.
“While we agree in principle that OPM’s outdated technical infrastructure needs to be modernized, we have serious concerns with the way in which this project was initiated and the way it was managed throughout FY 2016,” the report stated. “OPM is now in the early stages of assessing the alternate solutions that could address the agency’s long term technical needs. However, OPM faces enormous hurdles in reaching its desired outcome — many of which we do not believe the agency is adequately prepared to address.”
One challenge, the IG states, is that OPM doesn’t have a “mature program” in place to hold information system inventory on the work to update and improve it’s hardware and software, nor does it have the funding for this inventory.
Another challenge is the complexity of moving legacy systems into a new environment.
“These systems must be completely redesigned and rebuilt before they can be migrated into a new secure environment. OPM is in the process of developing a digital services team that leverages system development experts throughout government, but simply having development talent available does not resolve the other challenges,” the IG report states. “While we fully support OPM’s efforts to modernize its IT environment, we are concerned that there is a high risk that its efforts will ultimately be unsuccessful.”