Admittedly, IT security is a top priority for NASA CIO Jonathan Q. Pettus. But given the space agencyÂs highly educated, scientific workforce Â a workforce that loves to innovate and knows how to work around security policies Â Pettus has learned to tread lightly.
As he puts it, "The challenge for a CIO is: How do you partner and be seen as a supporter of innovation and not as a roadblock?" FedTech Editor in Chief Lee Copeland spoke with Pettus about his initiatives and challenges, and how coaching high school basketball prepared him to lead his NASA IT team.
FedTech: NASA has some of the biggest brains in the country — in the world — working for it. What policies do you have in place to keep some of that very cool, perhaps top-secret, stuff locked down?
Pettus: At NASA, IT security is particularly challenging because our mission is about creating knowledge and information, and sharing that with our partners — with academia and with scientists, not only in this country but other countries. It’s a challenge to make the data available to those who need it, and yet ensure that we’re also protecting information that in many cases is a critical national asset — important to the nation’s security and knowledge advancement.
NASA consists of two interwoven and broad communities of scientists and engineers. The engineering function is very different from the scientific function, but the scientists obviously have to work closely with engineers who design the spacecraft, the vehicles and the mechanics of the systems that take us into space and then conduct scientific experiments in space. It’s really only possible with lots of cooperation and collaboration between scientists and engineers in NASA.
As we implement our IT policies around better securing our network perimeter, one of the key components is outreach to our communities, specifically our scientific community, to be sure that they understand the rationale behind those kinds of initiatives and to get feedback from them on how we balance not being so prohibitive as to keep them from doing their job, with ensuring that we’re protecting the information.
One of the things we’ve implemented is two-factor identification, to be used when people remotely access services within NASA. Information isn’t accessible without a two-factor identification mechanism to log in.
We’ve built our policies around data handling and information management that in a broad way govern the release of information. You can put a lot of technology in place; but if you don’t train and communicate with individuals on how to handle information, your overall technology measures will not succeed because it comes down to how people handle information.
FedTech: Does “rules are made to be broken, so you’ve got to work with people as a foundation” sum up your management philosophy?
Pettus: Yes. I don’t think you can ever put enough technology in to ensure that you’re going to be secure. The weakest link in your whole security chain is: Do people understand when they’re handling information that is sensitive and understand how they should handle that information?
If we have policies around the use of technology, because of the significant IT savvyness of our workforce, they will quickly look at any rule that’s made to see if they can push the limits or engineer their way around it. It comes down to whether you can sell and market why a particular IT strategy is good for the organization and achieve buy-in from the user base and people in general around that strategy.
FedTech: How do you get buy-in from your people?
Pettus: We have a fairly extensive training program for internal employees. We require contractors to ensure that their personnel have taken the specific IT security training that’s outlined by our policies. If a university, for example, gets a grant, we have a set of policies to govern ensuring at least that they are aware of and know how to handle our information.
We also develop system interconnection agreements with external entities, and part of that is ensuring that certain levels of certification take place if their IT systems might be handling information that’s important to NASA.
FedTech: How many data centers do you have, and can you consolidate them into a handful, the way industry has done?
Pettus: It’s harder for us. We’ve identified about 75. It’s tricky because we also have a few servers in small facilities that are not quite data centers.
Roughly 15,000 servers are spread around the 75 data centers. We’re developing a strategy for consolidation to a much smaller number of enterprisewide data centers, and we’re planning to contract with a partner to help us implement data center consolidation. We’re already heavily relying on contractors.
FedTech: Are you looking at power consumption?
Pettus: A huge part of the cost of a data center facility is the power, and a lot of our environments aren’t completely modernized. A tremendous number of advances are occurring in industry, and one of our goals is to take advantage of that.
Another thing that we’re looking at is using virtualization technology. When the industry moved away from mainframe computing into decentralized, distributed computing, it led to this environment now where many servers are supporting specific applications, but those servers aren’t utilized sufficiently overall. Therefore, we’re wasting a lot of power. We could use less power by consolidating the number of physical servers and using software virtualization to run applications on fewer servers.
FedTech: You have said that you have so many brilliant people at NASA that it’s important to get people to share the ball and not just shoot it as soon as it comes into their hands, and that you often feel like a coach, which is kind of fortuitous since you are a former high school basketball coach. How does that parlay into an advantage in your role as CIO?
Pettus: People tend to think that the CIO function is a technology-focused function, and that’s a big part of it. But I spend a lot of my day just on relationships, coaching people, listening and trying to work through issues that often don’t have much to do with technology at all. They involve passionate people who hold passionate views about the way certain technologies should be implemented.
Like a coach, I try to get people to understand that sometimes they won’t be the star of the team; sometimes their ideas won’t carry the day. I find myself in a lot of those discussions, and it feels just like when I was coaching a bunch of high school kids in basketball or teaching math. The process of being a coach and teacher is not all that different from being a CIO.
FedTech: Do you have a lot of remote workers at NASA, and is there an increasing emphasis on allowing people to work remotely?
Pettus: It's actually not a new thing at NASA, and we have multiple types of remote workers. One is the typical kind of telecommuting with a mobile technology, such as BlackBerrys, personal digital assistants and notebooks. There's an increasing demand for supporting that within the agency.
Another kind of remote access involves collaboration with external partners - both contractors and academia. So, for example, when we landed a spacecraft on Mars to explore the polar ice caps, that was a cooperative effort with the Jet Propulsion Laboratory [in Pasedena, Calif.], Lockheed Martin and the University of Arizona. A tremendous amount of information sharing, integration and access to information across organizational boundaries was required.
FedTech: Can you tell us about NASA's green IT efforts?
Pettus: We've done a lot of work to improve energy utilization of our desktop computers and server-based computers by implementing controls. There's a lot more to do. We're looking at a pretty massive consolidation of our data centers. We'd like to move to less than 10 and maybe down to fewer than five major data centers. That's the trend, and a huge driver for that is the whole green IT phenomenon.
FedTech: How is NASA implementing Web 2.0 as an agency?
Pettus: Our deputy administrator has a public blog on our website. We're also trying to leverage social networking, Web 2.0 concepts to promote interest in space exploration and allow the public to better interact with us.
One example is the Phoenix Mars Lander, which generated tremendous public interest. Using the social networking site Twitter, the lander actually "twittered" from Mars to Earth, saying things like, "It's cold up here." The NASA team developed this to reach out to the public. The lander also took photographs, which we quickly posted on our site.
Internally, we're using wiki technology to solve problems collaboratively. Also, we have different implementations of service-oriented architecture models for our missions, and we use mash-ups for certain internal scientific applications.
FedTech: How does IT manage the role of these new applications?
Pettus: Today, outside of work, nearly everyone uses the web for personal and business transactions, and they're doing it more capably than they did before. At work, people apply those technologies to create a blog, a wiki or a way to collaborate easily. Since these tools are available on the web, programmers aren't needed.
It's a challenge for CIOs not to be seen as standing in the way of people doing their jobs but still maintain some assurance that those IT implementations are secure and consistent. You don't want to be seen as standing in the way of progress. The challenge for a CIO is how to partner and be seen as a supporter of innovation rather than a roadblock, while also ensuring that all this doesn't spiral out of control and hurt the organization.
FedTech: How would you sum up your management philosophy?
Pettus: Our overarching principle for managing IT at NASA is that everything we do is about enabling the mission. We spend a significant amount of money on IT in NASA, and we want to ensure that those dollars are all about enabling the mission. Because we're so technology oriented, we have to guard against creating great IT solutions that don't necessarily have a requirement to be great. Good is enough.
Sometimes, we should rely more on the private sector rather than creating solutions in-house, even if we can. If we don't need to develop something because it already exists in the industry, we shouldn't develop it.
Our second goal is to ensure that our data centers can collaborate seamlessly across center boundaries so that our engineers and scientists can work across those boundaries as if we're one integrated organization.
We've already discussed the third goal: ensuring that our systems are secure.
The fourth goal is efficiency in implementing IT. Therefore, our implementations and investments should always have a business case associated with them.
Finally, we've tried to clarify the role of the CIO at NASA. Is the CIO a policy-oriented position, or is the CIO also expected to deliver IT services? Ultimately, we want the CIO to be seen as an enabler, a facilitator who's helping our mission succeed rather than as a policeman who's trying to keep people from implementing certain technologies.