Dec 31 2009

Wheels of Progress Roll Forward

Defense and Interior overhaul their IT infrastructures and initiate major cultural changes.

From an IT perspective, the
Department of Defense
(DOD) and Department of
the Interior have much in
common. Both of these huge
government organizations
have ambitious plans to remake their
highly distributed network infrastructures,
and both have come under pressure for
not realizing those plans quickly.

Last July, the Government
Accountability Office (GAO) issued a
report assessing DOD's progress in
creating a Global Information Grid
(GIG)—a future DOD network
architecture that leverages key
attributes from the Internet to provide
globally interconnected, end-to-end
information capabilities. The report
concluded that significant challenges
lay ahead to make the GIG a reality.
These challenges include DOD's ability
to assure that the resulting network
will be secure enough to post and share
information, as well as its ability to
meet the goal of providing full
capability by 2020.

GAO's report—which was issued in
conjunction with a hearing by the House
Government Reform Committee—also
cautioned DOD against making further
investments in IT transformation without
first establishing an oversight committee to
confirm that the planned IT investments are
consistent with the project's objectives.

Interior's efforts to streamline and
secure its key information technology
systems were similarly scrutinized. Last
March, a U.S. District Court judge
ordered Interior to shut down much of
its access to the Internet because of
security concerns. The court order
exempted the department's National
Park Service, U.S. Geological Survey,
and Policy, Management and Budget
Office, deeming them vital for
protecting the public against fires and
other emergencies. Interior appealed
the judge's ruling and received a
permanent administrative stay of the

Against this backdrop, CIOs at Interior
and DOD are working hard to dispel
security fears, while enlisting internal
support and cooperation to keep the wheels
of progress turning.

Security First

"Timing has been our enemy," says W. Hord
Tipton, who was appointed CIO at Interior
in October 2002. He maintains that the
March preliminary injunction was based in
large part on outdated information.

Since July 2004, when GAO auditors last
assessed Interior's IT safeguards, the agency
has made significant progress in securing its
systems, he says. Today, more than 98
percent of Interior's systems meet security
and accreditation requirements as outlined
by the Federal Information Security
Management Act (FISMA), according to
Tipton. "We're in a radically different place
from where we were a year ago," he says.

Although DOD, the largest federal
agency, earned a "D" on its FISMA report
card in 2003 ("D" was the average grade for
all federal agencies combined), it
significantly increased its security posture
for the 2004 fiscal year, as noted in its FISMA
submission. The Defense Department
expects these major efforts to improve its
security grade.

Of even greater significance is the
Defense Department's rapid progress in
amassing the considerable amount of data
required for FISMA reporting. "We have
thousands of
applications that
need to be fully
certified and
accredited," says
Dr. Margaret Myers, principal director for
the DOD deputy CIO. "To add to that, we
have to reconcile OMB's terminology and
definitions with ours."

To increase its security, DOD has reduced
the number of controlled access points to
the Internet and significantly increased the
number of systems certified and accredited.
DOD is also working toward use of public
key infrastructure for user authentication. In
addition, DOD and the department's
inspector general plan to work with OMB to
fine-tune the FISMA questions so they will
produce more meaningful metrics.

A Shift in Focus

Because of the comprehensive nature of
Defense's planned IT infrastructure
overhaul, it will be in transition for a while.
In September, DOD rolled out the first phase
of its GIG Bandwidth Expansion project,
upgrading the telecommunications
backbone at six critical sites to Internet
Protocol (IP) running on high-throughput
fiber optics. DOD plans to upgrade the
remaining worldwide sites (roughly 80) by
September 2005.

"Although the initial implementation
will allow the department to start
eliminating old point-to-point circuits, the
benefits will continue to accrue as the
consolidation, integration and migration to
IP continue," Myers says.

Enlisting support and cooperation for
the GIG among the department's more than
2.6 million military, civilian and contractor
employees is just as immediate. "We're
moving away from building stove-piped
systems and focusing more on making
information shareable by bringing the power
of the Internet inside the department," she
says. It's a change not only in the way data is
technically organized, stored and accessed,
but in the way people think about that data.

"We are trying to shift from an
applications-centric environment to an
environment that is data-centric," says
Myers, "where people are empowered by
their ability to access information and are
recognized for the inputs they provide."

The goal is to put employees in the
mindset of posting information and being
able to pull the data they need. Ideally,
adopting the Internet model for software
and data access will give military and
intelligence personnel access to the
information that is most relevant to
their mission, regardless of where that
information resides.

"Historically, we've always had to build
interfaces to integrate applications," Myers
explains. "By posting data, we eliminate the
costly, time-consuming application-to-application interface problem, because
applications are able to pull the data they
need from the network."

At DOD, this shift is called "power to the
edge," whereby people on the edge—anyone from a soldier in the field to a civilian
working in procurement—can get the data
necessary to accomplish their missions. "It's
really up to every person now to post their
stuff," Myers says. "We provide the rules, but
they have to provide the data."

DOD recently piloted four of the GIG's
planned Core Enterprise Services as part of
the August Quantum Leap 2 demonstration.
The four pilot services are discovery,
security, messaging and enterprise service
management. By year's end, the DOD
planned to pilot additional command and
control community of interest services that
support situational awareness and global
strike capabilities. Other services, including
mediation, user assistance, storage and
collaboration, are planned by 2006.

Strategic Consolidation

At Interior, Tipton is focused on continuing
the agencywide consolidation and
integration project. Strengthening both
internal and perimeter security is a high
priority, he says.

The Interior Department's chief goal is to
consolidate its 13 wide area networks
and also add state-of-the-art monitoring
and intrusion detection controls by
2006. Work is already under way to
merge the network backbones for
Interior's eight bureaus into a single
departmental backbone. According to
Tipton, the project will cost more than
$100 million over a 10-year lifecycle.
Interior's plan also calls for providing
centralized, standardized messaging and
Web-based services with participative

Consolidating the department's many
redundant systems is another important
task. With 53 lines of business, Interior is
sometimes called the "Department of
Everything Else." Many of the systems
supporting these lines of business were
redundant; other systems were sorely

Tipton's staff must lead the
transformation of the agency's widely
dispersed, independently designed and
developed IT systems into a modernized
operation governed by a uniform IT strategy.
The major systems involving security have
passed the tests.

"Our first task was to root out exactly
where the systems were, do some
inventories and asset management, and then
take a closer look at the systems
themselves," Tipton says.

"Every rock we turned over, we saw a
couple of snakes slither out," he adds. "We
found more than 2,500 Web servers
delivering content in a highly inefficient
manner. We had 553 mail servers, which is
far too many to realistically protect from a
security point of view."

Other redundancies included four
networks for law enforcement, with plans to
build a fifth; four separate applications for
land management; and 53 separate
applications for financial management.
"Initially, we identified 601 'major' security
systems," Tipton says. "We spent eight
months eliminating systems and enclaving
[isolating] a number of others to reduce that
list to 166."

With each layer of the onion his team
peeled back, Tipton grew more
convinced that a standardized IT
structure was critical to adequately
protect Interior's systems from hackers,
intruders, damaging viruses and other
security threats. That meant a real shift
in how business would be conducted
going forward.

"Getting people to relinquish control
became one of our biggest problems,"
Tipton recalls. Hardware purchases had
been made without consideration for interoperability or cost. Documentation was nonexistent, and security was often an afterthought.

"Thanks to the cooperative efforts of thousands of people—including
business and IT people throughout
Interior—we are already at a point
where that situation no longer exists,"
Tipton concludes.


The "F" that the Interior Department got on its
cybersecurity report card in December 2003
(based on July 2003 data) may have been
deserved a year ago, but the grade is misleading
today, according to the agency's CIO, W. Hord
Tipton. Since auditors last assessed Interior's IT
safeguards, the department has made
significant progress in securing its systems.

Today, 163 of Interior's 166 IT systems have
passed internal benchmarks established last year
for meeting Federal Information Security
Management Act (FISMA) security certification and
accreditation requirements, Tipton says. In 2000,
none had passed those benchmarks.

Interior is far from alone in its poor showing on
the Federal Computer Security Report Cards
issued Dec. 9, 2003, by the House Government
Reform Committee's Subcommittee on technology,
information policy, intergovernmental relations and
the Census. Agencies averaged only a "D" on their
collective FISMA report cards for 2003. As a result,
the Government Accountability Office in a recent
report recommended that agencies shelve IT
modernization and other efforts until they had
improved IT security.

However, agencies are expected to
dramatically improve their FISMA scores for
2004, given the more than $8.5 billion spent
on IT security. According to the Office of
Management and Budget, federal agencies
spent $4.2 billion in 2003 to strengthen IT
security, up from $2.7 billion in 2002.