Adapt or perish. That’s Adrian Gardner’s motto. The CIO at the National Weather Service says that embracing change is a “critical success factor” in government information technology.
On the job since January, Gardner has two large change-management items on his agenda: security and consolidation. But he also must live up to the NWS defining characteristic. It must be able to provide weather forecasting information no matter what and no matter where to protect life and property. As part of the Commerce Department’s National Oceanic and Atmospheric Administration, the NWS provides weather, water and climate forecasts and warnings for the United States, its territories, adjacent waters and oceans.
FedTech Editor in Chief Lee Copeland talked with Gardner about how he plans to focus his attention on making IT secure at the NWS as well as efforts to make the agency’s systems operations more efficient.
FedTech: What are your priorities at the National Weather Service?
Gardner: I hope to contribute to the collective effort and, if necessary, to upgrade the controls and safeguards required to improve security. Since I came on board, we’ve completed certification and accreditation of 21 systems; we’ve set out plans of action and milestones to deal with shortcomings that we identified through our reviews of managerial, operational and technical controls; and we’ve been focusing our efforts on ensuring that our critical systems, data and information are secure. You know, we live the mission every day — on a daily basis. That’s the most important piece of my work here: making sure everything has a mission focus.
FedTech: What are some of your information technology priorities?
Gardner: The two priorities I have thus far are security and IT consolidation. Where can we consolidate, and where does that consolidation make sense? And it’s important to really simplify the way we provide products and services to the men and women of the NWS, NOAA and the Commerce Department.
FedTech: Because one of your priorities is consolidation, are some of your consolidation efforts driven by green initiatives? Is that something you’re concerned about at the NWS?
Gardner: Definitely. We’re actually an environmental agency, and my background includes environmental science as well, so we’re absolutely paying attention to the green aspects of consolidation. But we’re also doing it for economies of scale. As I consult with my colleagues in NOAA and the weather service, I’m recommending that we collaborate to identify common software platforms and media to the greatest extent that our various missions allow. I expect that our general IT consolidations will have green initiatives as a byproduct.
FedTech: Sometimes green initiatives fall by the wayside at the expense of getting the mission done because they may require more effort or cost more. Have you had to make a trade-off?
Gardner: Absolutely not. I don’t know if I agree that there necessarily has to be a trade-off. If you plan your strategy correctly and use appropriate project management principles, both can be done. For IT consolidation, one of the things we look at is how we can make the IT portion of providing the mission less costly or least costly for the agency, and how those dollars can then be transferred back into the mission.
Because we’re all working in a strained budgetary environment, the opportunities are there not only to consolidate and build in some green initiatives, but also to send some of those efficiencies back into the mission so we can provide the necessary environmental information and weather information to folks in real time and save lives and property.
FedTech: We recently asked our readers about the biggest security threat facing their networks. We gave them four choices: e-mail threats that come in through malicious codes and viruses; Web-based threats that come in through Web sites; hackers who deliberately try to break in; and the threat from external devices that tie into the network, such as personal digital assistants and USB drives. Is one of those also among your biggest challenges at the NWS?
Gardner: I guess I’m concerned about all of them, and it’s hard to choose. Most threats come through e-mail, if you’re looking at numbers. I think we just have to be concerned about all of them and look at what kind of managerial, operational and technical controls we are putting in place to address them all. If I had to choose one, it would be e-mail, but my focus is really on all of them.
FedTech: The Veterans Affairs Department recently announced a purchase of about 35,000 USB flash drives. What do you think about devices that make it easy for people to bring information outside of the organization in a way that’s difficult to detect physically and control in terms of IT security?
Gardner: Security is not going to be 100 percent. There are always going to be human factors and social engineering opportunities that our adversaries will attempt to exploit. The thing we struggle with routinely is that technology is currently leading society, and then the real question becomes: Has the policy maintained pace with that?
Technology is pervasive and ever-changing, so then the next questions are: How does our policy framework maintain pace with that? Does it have the agility to do that?
You need to put in managerial, operational and technical controls that give you a layer of security around those devices. So even if you have a thumb drive, if it’s certified under FIPS 140-2, you have that as a safeguard, and that adds an extra layer of security and confidence as these devices become the norm in the workplace.
FedTech: Could you elaborate a little on the managerial controls you mentioned? Have you put some in place?
Gardner: One thing we’ve done is we’ve encrypted all of our notebook computers. And we require all USB drives to comply with FIPS 140-2, which is the Advanced Encryption Standard. If a drive or notebook is lost, it can’t be used.
FedTech: So you’re looking at technical, not managerial controls, such as restricting someone from taking a notebook home?
Gardner: That’s right, because we’re focused on mission. We have “storm chasers.” We have folks that do a lot of mobile computing. If I said, “You can’t take a notebook home,” that would severely impair our ability to provide products and services for the NWS mission.
I have to look at what my risk requirements are and what the impact would be to my mission if I don’t provide that capability to the men and women who support the NWS mission. I don’t think you can say, “You can’t take it home, or you can’t do this.” You could say it, but at what cost? That may be the difference between saving a life and not saving a life. If I had to make that decision, I would err on the side of trying to save a life, and I’d do it by putting in place the appropriate technical controls.
FedTech: Because you’re dealing with severe weather, how do you protect your own systems in terms of disaster recovery?
Gardner: Good question. That’s what we live for, so the NWS is well practiced when it comes to dealing with natural disasters. Many of our facilities and centers are by necessity located in areas where unusual and/or violent weather can be expected. Across NOAA, we’re looking at ways to improve both facility and agencywide capabilities to deal with all sorts of disasters and trying to make sure that we can recover from them.
As an agency, we’re trying to improve our understanding of our technology and enterprise architectures, our facility contingency plans, and our overall continuity of operation plans and strategies for all threats. We’re looking at threat- and risk-based design principles to guide our process for maintaining and improving our disaster prevention, mitigation, response and recovery capabilities. That’s core within the mission of the weather service — that we’ve got to provide services even when we’re in a disaster-recovery situation or when we’re in an environment where communication is a challenge.
FedTech: And I suppose if you are down as a consequence of a natural disaster, it looks extra bad.
Gardner: Yes, it does. But again, what we’ve done through our contingency planning is to be sure we can provide services even in those situations. So even if one of our facilities is down from a natural hazard or a natural disaster, we still have backup strategies to get the message and the information out.
FedTech: What are you doing from an IT perspective to support telework in your organization?
Gardner: The weather service is probably one of the largest users of the telework program. Even on my IT staff, 35 percent to 40 percent of the team members have telework agreements in place.
Our folks in the field must work that way by necessity because our locations are very remote in many areas and we have an international role as well. Working with the World Meteorological Organization, which is part of the United Nations, we actually support many remote countries.
We are a resource for all to use, and that’s why our information is available on our Web site for everyone to see.
FedTech: Is delivering IT services in real time part of your plan to improve information flow in your agency?
Gardner: Clearly, that’s our bread and butter. Near-real-time distribution of our weather data to all our consumers is a critical success factor for the NWS and NOAA. But we also need to balance the capability of our users to receive and understand and make decisions on the information they receive from us. We’re constantly trying to improve the technology and tools we use to observe, predict and deliver weather forecast information, but we can’t make our product so high-tech that we disenfranchise any portion of our population. We may believe that everybody’s on the Internet, but there may be portions of the country that don’t have access to it.
So now how do we get that message out? We use things like NOAA Weather Radio, which we’re trying to deploy in every school in the country. It’s a desktop or handheld radio that basically takes a lot of our text products that you see on the Web and translates them into a spoken message. When a severe weather watch or warning comes through, it will be transmitted on that radio as well as publicized through our Web site. It’s giving us the chance to disseminate our products in a way that some folks may call low-tech, but it may be the only way for some folks to get that information.
FedTech: What have you learned in your previous career experiences that you’re bringing to this new role?
Gardner: I guess I’m much like the technology. Technology capabilities and requirements are in constant motion. You know, anyone who’s involved in technology must embrace change as a critical success factor.
Weather service is an information-sharing agency; in my opinion and in the opinion of a lot of people, we adapt or perish. Change for change’s sake is not always thought of as a good thing, and people sometimes view it as wasteful and counterproductive. But the opportunity here to integrate meaningful new technologies into a high-value environment such as NOAA and the NWS is not change for change’s sake. It helps us improve our understanding of the world we live in, and most important, it’ll improve our ability to enable and support the mission of the NWS.
We have to constantly look at it from the standpoint of change for change’s sake is a bad thing. But as technology changes, we get enhancements, and we’re able to leverage those enhancements and provide better products. That’s where we get ahead. We hold a lot of public meetings with what we call our NOAA partners, and we’ve heard it time and time again that we’ve got to continually keep our eye on where technology is driving us. Yet we also have to make sure that we don’t move so quickly that we leave folks behind.
FedTech: You’ve said, “Change is a critical success factor.” What do you mean by that?
Gardner: I think that being in the IT community or an IT leader, you constantly have to be abreast of the technology that’s here today and the technology that’s viewed or envisioned for tomorrow. Grid computing, for instance. Do I think that’s just going to be a government or a Defense Department effort? It may actually be the way all society receives computing resources in the future. How do we plan for that, and are we looking at that as an eventuality from the standpoint of where we are today?
You really have to rely on enterprise architecture and leveraging enterprise architecture as an input into the business strategy and business decisions of an agency on how technology will plug and play for the future. Technology is in constant motion, so I constantly have to keep my eye on where it’s going — but I want to be on the leading edge and not the bleeding edge.