Management | Information Security

Homeland Security information security improves

Agency CIO's within Homeland Security find a way to work together

Six years after the Homeland Security Department started operations, integrating the information technology systems of its 22 formerly separate agencies remains a primary, ongoing information security project for DHS’ senior leadership.

The integration and consolidation of DHS’ existing IT systems and architecture have proven difficult for many of the same reasons that other agencies have encountered. However, unlike other administrative tasks at DHS, IT management and information security can have an immediate effect on a DHS component agency’s operational performance. In addition, the IT programs at individual agencies were tied to each agency’s culture, mission and history.

As the department marks its sixth anniversary, current and former DHS officials say they are proud of the progress made in information security during those years. DHS received a B+ on its 2007 Federal Information Security Management Act score card, up from a failing grade of F two years earlier.

Margaret Graves, DHS’ new acting chief information officer, who has worked on the department's IT programs for five years, said DHS has its sights set on getting an A. However, many steps remain in the department’s IT transformation program.

Officials are moving seven existing component agency networks to DHS’ OneNet enterprise network, and individual agencies are in the process of moving to two departmentwide data centers for storage. Officials say the consolidation will improve efficiency and security.

“It gives people an opportunity to move to enterprise services, and in the security aspect, it allows them to use common tools for monitoring the network, common tools for doing analysis on any kind of intrusions that may be promulgated against the DHS entity as a whole,” Graves said.

DHS agencies that have migrated to OneNet include Customs and Border Protection, Immigration and Customs Enforcement, Citizenship and Immigration Services, Transportation Security Administration and the DHS headquarters’ unclassified networks. Customs and Border Protection (CPB) is the department’s network steward of OneNet and also has set up a consolidated network operations center and a security operations center.

“When the department was first established, we had totally separate networks that did not talk to each other, so the first step in getting to OneNet was to establish an interlink between all those networks,” said Charles Armstrong, CBP’s chief information officer.

In addition to providing efficiencies and economies of scale by bundling purchases, Armstrong said OneNet also improves information sharing and security. The consolidation will allow DHS to reduce the number of its primary gateways to the Internet from about 100 to two, he said. Reducing the number of gateways is part of the Office of Management and Budget’s governmentwide Trusted Internet Connections (TIC) effort.

“One of the big selling points on OneNet was to establish, first of all, a common network so that we could easily exchange that information,” Armstrong said. But they also wanted to put the right security in place “so that we control the access that we need to have in a trusted environment between the different components with the different missions,” he said.

In May 2008, under a Networx contract, DHS awarded Verizon and AT&T contracts worth as much as $971 million during the next 10 years to provide a range of those services for OneNet. That included network portals, managed network services, Internet access, remote access and the new emergency communications services that DHS plans to deploy to improve responses to man-made and natural disasters.

Armstrong said awarding that contract was a milestone in OneNet. DHS has so far made about 100 orders to upgrade circuits, the wide-area networks that link different components and locations to one another via OneNet, and he hopes to transition all of the circuits by the end of fiscal 2010.

Karen Evans, who recently retired as OMB’s administrator for e-government and IT, said DHS has deployed the best practices from other agencies.

She also said that for the governmentwide TIC program, OMB looked at how DHS implemented network security and assigned roles and responsibilities to its CIO. The goal of the Trusted Internet Connection is to improve security by reducing the number of Internet gateways across the government from thousands to about 100.

Getting support

When Steve Cooper, DHS’ first CIO, started work there, he had to decide how to forge an IT architecture that would meet the mission and security needs of a diverse group of agencies while also moving toward a unified architecture for the department. He also had to contend with individual agency cultures, budgets and history.

Cooper said DHS’ senior leadership supported his plan for IT integration, but some individual agencies had reservations about losing autonomy over their unclassified networks.

When DHS first began to build interconnections and share information across components, they were essentially “poking holes… figuratively speaking, in what [other agencies] had accomplished, so people were naturally resistant,” said Cooper, now a partner at consulting firm Strativest.

After some trial and error and consultation, the department determined that a federated approach such as OneNet was the best solution. Cooper said that he didn’t think it was the best use of resources to ask Congress and OMB for funding to build an entire new network.

The Office of the Director of National Intelligence has also taken a federated approach to IT integration. Dale Meyerrose, until recently its CIO and now head of cyber and information assurance at Harris, said that in integrating intelligence agencies’ IT, he wanted to reduce agencies’ autonomy but not necessarily their authority.

“It has to do with numbers,” he said. “Do you allow thousands of decisions to be made in a hundred places or thousands of decisions in a handful of places?”

Cooper said that in DHS’ case, different component agencies brought different IT management competencies that they could provide for the entire department, such as CBP’s network stewardship and Coast Guard’s e-mail management.

Graves, DHS’ new acting CIO, said the goal is not to build centralized capabilities for DHS but rather to make DHS agencies stewards of departmentwide functions.

Armstrong of Customs and Border Protection said getting agencies to buy into OneNet required the project’s leaders to demonstrate its value. “I would say where there’s some caution on the part of some of the components is that, to some degree, they’re having to give up control of operations of their networks to another entity, and any time a CIO does that, he risks some degradation in service,” he said.

The key to successfully implementing DHS’ enterprise strategy has been centralized governance and distributed execution, Graves said. The participation of the component agencies’ CIOs in shaping the departmental IT strategy and resource allocation, accomplished through the department’s CIO council, was also important to the process, she said.

“It’s all of the good minds around the table that are applied to that — it’s back to this centralized model that allows them to voice their opinion, to have a hand in the business processes on how we are going to transition, to the sequences of the transitioning and, most importantly, to the resourcing of it,” she said.

Looking ahead

Evans said a key for DHS’ progress in IT security had been sticking with the governance structure and policies that DHS’ initial leadership put in place, along with using the CIO council effectively.

“They didn’t change the process,” she said. “What they did was keep maturing the process. They really worked hard at making that internal council work.”

Now that the department has an IT foundation, Evans said, the emphasis would be on making sure the effort fits with the priorities of Janet Napolitano, DHS’ newly confirmed secretary, and the new heads of the department’s agencies. Information integration is not yet seamless, Evans noted.

Armstrong said DHS is in the phase of IT integration that’s focused on getting better control of data that is flowing in and out of networks, thus improving security. He said eventually DHS should be better able to share information that is important for intelligence fusion and situational awareness.

“Our ability to provide that kind of data sharing between components and across the department in the future is paramount to us being what the American people want us to be,” he said.

With the ongoing work on OneNet, the level of data sharing that officials envision might be years away, but Cooper said the difference between now and when he started is already significant.

“If you compare where we were Day One, which is…nowhere with regard to sharing information or behaving as one unified [department] with regard to information assurance and information security, and compare that to where the department is today, I would tell you it’s night and day,” he said.

“I’m not saying it’s been a perfect ride,” Graves said. “We have had a few stumbles along the way, and we will probably in the future. But the most important point to take away from this is that when we have those issues we resolve them as a team and they are [all] participants in the process.”

The 2014 Federal 100

FCW is very pleased to profile the women and men who make up this year's Fed 100. 

Reader comments

Fri, Mar 27, 2009 GlobusProject Washington, D.C.

The DoD COCOM can sit at the NSC table, but the Civilian CS Czar must also be at NSC and also report to the President. Because Cybersecurity is both DoD/Military, Federal and Private Sector. You need the force of President Obama directly pushing his NSA Gen James Jones, his COCOM and his Cyberseccurity Czar to push through the Cybersecurity in all of these sectors. Also a Note: Cybersecurity is Strategic, and to build you need Knowledge Management people to do this. The Scientists, the Mathematicians, the Auditors and to a large extent Counterintelligence and Intelligence analysts are knowledge workers. It is at this Strategic Knowledge Management levels that you have to integrate Knowledge Management. CIO's and COO's are not knowledge management people, but they are process management implementers. These two groups are like oil and water and don't mix easily. Knowledge Management experts must work with the Information Assurance experts to concentrate on Organizational Design and Knowledge Management Capabilities to mature our acquisition and use of data/information/knowledge which is what Grid Technology is all about. This is NOT the work of the process management implementer (CIO/COO) side of the organization, but that of the knowledge management and builders of Performance Management and Decision Support Systems.

Fri, Mar 27, 2009 GlobusProject Washington, D.C.

Information Assurance and INFOSEC involves many components: Governance, Risk Management, Auditing, Compliance and Counterintelligence (which is very proactive). Just like Steve Cooper has made the 22 DHS Agencies Component CIOs cede power to the CIO Council (managing Networks), DHS will have to cede power/control to an outside group/Agency who have to oversee the business and IT processes of DHS. DHS had to increase the maturity of their management processes. This is what they are doing- Process Management. When they control process at maturity level 3-4 then you can start to have security (INFOSEC). Information Assurance has to be done by an outside entity, if not, DHS will continue to falsify data (data integrity), in the area of Risk Management (RMS) and FISMA (TFT). You can not have a system that measures itself (overseees), as you will find that these metrics will be worthless. An outside independent entity has to do data acqusition. These Risk Management programs have to be done by an outside group- could be ODNI, DOD/NSA or even DoJ/FBI. But the LOB who has expertise here is the NSA. They ARE the Information Assurance specialists. The NSA are the ones who HAVE TO DO THIS. There is also along with the Information Assurance functions of Governance, Risk Management, Auditng, Compliance and Counterintelligence, a knowledge component. Cybersecurity is strategic with Warfighter capabilities in the DoD, NSA, ONDI and Domestic DoD Emergency Preparedness areas. And Cyberwar will be done by Generals and NSA people, who will have to integrate all data, and security for use at the "Point of the Spear". Cyberwarfare, CyberIntelligence, CyberCounterIntelligence and CyberSecurity are all tied together. DHS is unfit for such a proactive, rapid response activity. Only the ODNI and NSA can handle such data/information/knowledge collection, analysis and use, in real time. And ONLY the NSA has such integration abilities in Information Assurance from DoD to the Private Sector. This is why the Cybersecurity function within the CNCI has to be with the NSA- as they will be at the elbow of the Generals fighting Cyberwars. NOT DHS. What the NSA does, Information Assurance, then has to be transferred to the rest of the Federal Govt. and then to the Private Sector. This is why a Civilian Cybersecurity Czar has to report to President Obama. To make sure that Cybersecurity at the "Point of the Spear" with a Combat Commander (COCOM- 4 Star General) in Cyberwar, with NSC is supported in wartime. But also has to be with the NSA, which then spreads it to the Federal Sector then to the Private Sector, in a peacetime scenario. In peacetime, the Civilian Cybersecurity Czar is important. In wartime, the authority transfer to the COCOM. This is how our government functions. As under DHS NIPP, it is one big network and Critical Infrastructure Protection is in these three areas- DoD, Federal and Private.

Wed, Mar 11, 2009 Washington DC

Mr. Armstrong stated the crux of the problem DHS faces in moving to one-net and continuing to "improve" security. That problem is simply to improve security while at the same time providing service without degrading what is already in place. In the last three years since I joined a DHS component in the IT security field, I have witnessed many changes in security with little if any improvement but a constant degredation in service. DHS, OMB, and Congress should worry less about obtaining an A which gives the appearance of excellent security and more about providing an IT environment that provides adequate security where risk is reduced to its lowest level of risk with superior performance. Remember, there is not and never will be a completely secure operating environment.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above