On a late-summer morning in August, a who's who of federal information technology chiefs gathered at the Humphrey Building in Washington for a sometimes intense, sometimes enlightening discussion about cybersecurity best practices.
Billed as a Security Report Card Symposium by its sponsor, the CIO Council's Best Practices Committee, the event took its name in part from the House Government Reform Committee's annual security assessments, which frequently give failing grades to most agencies for their security efforts. But this event highlighted successes, not shortcomings, at the Transportation and Housing and Urban Development departments.
"We asked them to talk about how they achieved that success so that our folks could listen and learn and try to emulate these examples when they went back to their home agencies," says Charles Havekost, CIO for the Health and Human Services Department and the co-chairman of the Best Practices Committee.
Sharing best practices is one solution to the ever-changing federal IT landscape that government CIOs face: Standards issues pop up here, legacy modernization plans pop up there, and right in the middle there's always the emerging Federal Enterprise Architecture. Despite the widely varying missions of agencies, technology challenges cut across organizational boundaries.
Information sharing tops the list for Havekost and Navy CIO Dave Wennergren, co-chairman of the Best Practices Committee. Together they preside over a committee that's trying to identify and share IT best practices for cybersecurity and a wide range of other technology hot-button issues to save CIOs time and money. To that end, the committee has taken a three-pronged approach to improving information sharing about successful IT initatives.
One, it hosts and promotes events, such as the security briefing, to bring government systems officials together at live events. Two, the committee is working to breathe life into online projects to let agencies easily provide access to best practices and reusable software components. Three, it's working on ways to provide feedback to agencies on what constitutes a best practice.
"Federal CIOs get it," Wennergren says. "There is a strong understanding of the power of collaboration and shared solutions."
Although information sharing may be an honorable goal, achieving it isn't always easy within the culture and competition of the government. Some agencies, particularly those in law enforcement and intelligence, are bound by traditionÂand, in some cases, even lawÂto guard information. "There definitely are stovepipes," says Bruce W. McConnell, vice chairman of outreach for the American Council for Technology's Industry
Advisory Council. The Fairfax, Va., nonprofit works with the Best Practices Committee on information-sharing projects.
An even bigger question is the quality of free advice, adds McConnell, who worked more than a dozen years in the information policy branch of the Office of Management and Budget before starting his own consulting business in Washington in 2000. "What are IT best practices anyway?" he says. "They can range from recommending a new product to a description of a formalized business process. I'm always skeptical whether one person's best practice is going to be any good for anybody else."
Despite the hurdles, Havekost and Wennergren say helping agencies identify and highlight best practices is both possible and worthwhile. "We need to help each other out so people don't have to reinvent the wheel all the time," Havekost says.
Tools for Sharing
To help CIOs find common ground, the Best Practices Committee, sometimes partnering with the American Council for Technology, organizes seminars to gather CIOs and senior staff members from various agencies to talk shop and share success stories. Late last year, the committee also launched another new effort. Working with the Council for Excellence in Government, an independent Washington advisory group, it created the CIO Boot Camp, a series of intensive, one-day workshops scheduled sporadically throughout the year to give new federal CIOs a crash course in the technical and political intricacies of their jobs.
Cost savings and efficiencies aren't the only potential benefits to projects like these, Wennergren believes. "The future is all about making intellectual capital available to the right people at the right time," he says. "It's not about information hoarding; it's about information sharing."
Federal IT managers may show a higher proclivity than other executives for information sharing. "CIOs are recruited through a pretty selective process to be change agents," says John Marshall, vice president for federal strategy at CGI-AMS of Fairfax, Va., and co-chairman of the Best Practices Committee from 2002 to 2004 while he served as assistant administrator for management and CIO at the Agency for International Development. "It's a pool of people who are all about breaking down stovepipes and sharing and collaborating."
But even change agents don't always have free reign, given the cultural and legal limits on agencies. Information overload from the proliferation of industry conferences and publications is another challenge. "There's no lack of opportunities for exchanging best practices. The real challenge is finding the nuggets out there that are most relevant to your agency," Marshall says.
"CIOs may be focusing too much on success stories," says Fred Thompson, vice president of management and technology for the Council on Excellence in Government. "Honest descriptions of failures can at times be even more enlightening than best practices. There's no puffery when you're not trying to show how great you are. When you're explaining how you worked through a challenging situation, people often connect with you better than if you're saying that everything about a project went right."
Another sharing stumbling block is what Thompson calls the "what's in it for me" factor. "There needs to be some incentive for people to spend the time and energy that goes into sharing these things," he says. "If it's all just extra work with no benefit to you, then why take the time?"
The E Factor
To make access to useful information easier, the Best Practices Committee and the General Services Administration created the Solutions Exchange. Launched about a year ago, it's a Web clearinghouse for best practices. CIO Council members can log on to the secure site, browse descriptions of projects that potentially address a pressing need like their own and use the contact information to connect with other practitioners.
There were lots of challenges in the initial rollout of the Exchange. "It took a lot of convincing to get the agencies to participate," recalls Carlos Solari, a driving force behind the Exchange when he served as committee co-chairman during his two-year tenure as White House CIO. He's now president of Solari Innovations, a Shenandoah, Va., consulting company.
"To encourage people to exchange best practices, we needed to have an inventory of best practices in the Exchange. So in the beginning we asked each agency to come up with two examples to feed the site," Solari recalls. But after the initial high-pressure period that created a flurry of initial contributions, the flow of useful practices dried up. "You'd think that an agency that gets a very sizable IT budget would have something they're proud of sharing, right? We got some best practices, but they often weren't defined very well. I believe there are a whole lot more good things out there to be shared."
One of the other challenges was that many of the contributions addressed the narrow needs of a particular agency and, therefore, had little applicability to others, Solari says. Like all compelling needs, this one will not go away, he says. "It is simply common sense that the government should have a viable means to exchange best practices and not reinvent the proverbial wheel."
Agencies have now posted dozens of initiatives on the Solutions Exchange, Wennergren notes, and cites a professionally developed training tool designed to help educate Navy uses about the key components of protecting critical assets and performing vulnerability assessments. But consultants and former Best Practices Committee officials say they're unaware of specific examples of agencies that have jump-started projects with the Exchange's help. That's partly because e-clearinghouses at best are only starting points for direct communications.
"The real value is in the meetings the CIOs hold among themselves and select conferences where they get out of their offices and have a chance to roll up their sleeves and talk with the most respected thought leaders from industry and government about their common challenges and solutions," Marshall contends.
Speaking from Experience
For his part, Havekost says the committee will continue to develop both electronic mechanisms and in-person settings where best practices can be shared. "I'm a strong believer in reference implementations, where you can have someone say, 'This is the crux of what this best practice is about,' " Havekost says. "That starts by having somebody with experience say, 'Here are the pitfalls we ran into, here's how we overcame them, and here's the best practice we implemented.' "
In the coming year, the Best Practices Committee will work closely with the government's Component Organization and
Registration Environment (www.core.gov), an outgrowth of the Federal Enterprise Architecture Project Management Office. Core.gov is a Web site where agencies can post and download reusable software components developed within the government.
"This is certainly an area that we are looking into as one of the ways we can provide a more structured venue" for information sharing, Havekost says. This work will include folding the Solutions Exchange's best practices information into Core.gov's components registry.
Havekost also believes that the government's cross agency grants Web site, www.grants.gov, provides a model for collaboration. As the site's inaugural program manager in 2002, Havekost says the experience taught him that best practices don't always involve identifying a single-best way to achieve a goal.
"At Grants.gov, we had to pick one out of the many perfectly good ways agencies had developed for processing grants," he explains. "We then had to prove that this approach was feasible for other agencies to use and knock down the barriers to implementation within those agencies. We showed that it is possible and practical to do business the way that we had laid out with Grants.gov. The Best Practices Committee is a lot like that, except we don't have a giant budget and an army of contractors scurrying about. So the challenge is to demonstrate positive, measurable outcomes and get enough mindshare so that the committee sustains its momentum."
|What's Worked: Some Early Best-of-the-Best Examples|
|Here are five projects—among a growing number of technology tools and innovations—that one agency developed and others later adopted.|
|Product or Service||Developer||Benefit|
|Emergency Communications Web Site||Commerce Department and Executive Office of the President||When traditional communications fail in an emergency, agency staff sign on to a secure Web site to report their whereabouts and receive guidance from managers.|
|IT Workforce Development Road Map||Navy||A career-planning tool for IT workers that identifies competency gaps and tracks development strategies|
|Security Assessment Software||Navy||A tool to identify potential security holes in systems|
|Buy Accessible Wizard||General Services Administration||An electronic guide for determining compliance with Section 508 regulations|
|Smart Cards||Defense Department||Agreements on security standards allow for a single personal identification smart-card format to be used by more than 4 million people throughout the military.|