Joseph Klimavicz
At the National Oceanic and Atmospheric Administration, IT operates much like the eye of the storm; it’s the energy that continually feeds data and services so that NOAA organizations can deliver their mission.
And CIO Joseph Klimavicz views it as his job to stay ahead of that storm: “My job is to figure out the right path and which emerging technologies are for real. How do we embrace them? How do we support them? How do we get bureaucracy out of the way so we can best take advantage of them?”
Klimavicz spoke with FedTech managing editor Vanessa Jo Roberts about how his CIO team works to achieve those goals, as well as about the technologies and challenges that make this effort an adventure.
FEDTECH: How do you view the work that you do in the CIO organization as it relates to the NOAA mission?
KLIMAVICZ: NOAA’s mission is very broad. It ranges from the surface of the sun to the bottom of the oceans — that’s a lot of geographical territory. Through its mission of science, service and stewardship, NOAA’s capabilities can help society address some of the most pressing questions of our time.
The fulfillment of this mission requires NOAA to observe, collect, process, evaluate, disseminate and archive vast quantities of environmental information and information products. And information technology is integrated into virtually all aspects of NOAA’s weather, climate, ecosystem, fisheries and ocean activities. So, IT is critical to everything that NOAA does. Managing IT resources across NOAA and ensuring the confidentiality, the integrity and the availability of our information systems is vital to the success of NOAA’s mission.
In other words, the mission really cannot be completed without IT.
FEDTECH: Since you have been at NOAA, what do you think are your top achievements — or perhaps ways that you’ve been most effective?
KLIMAVICZ: When I first arrived at NOAA three years ago, I laid out a 100-day plan to assess where we were with technology needs. Then I built a 500-day plan, developed in close cooperation with the NOAA CIO Council, to respond to the needs and lay the foundation for a world-class IT organization.
One of the things that we accomplished early on was improving our security posture. A lot of our accomplishments are fairly tactical in nature, securing our desktops or notebooks, and moving all NOAA users to BlackBerrys with data encryption.
But what I am most proud of is the deployment of a series of key IT infrastructure projects to lay the building blocks for an effective, efficient and secure IT enterprise.
We have also instituted NOAA-wide IT governance to acquire products and services through an integrated acquisition environment with improved transparency and decision-making ability. And through a set of mission-oriented IT initiatives, we have enhanced NOAA’s ability to process observing data and forecasting models — primarily by significantly scaling NOAA’s high-performance computing ability.
We also stood up a cybersecurity center capability to better protect NOAA’s assets and information. At NOAA, security has historically been looked at as an after-the-fact thing: You have a security incident; you go and pull the logs; you look at the logs; you do the forensics; and then you react. The problem with this model is it’s reactive. We are moving to a proactive model where you see events happening and you take action.
Another area that I would highlight is the consolidation of our wide area networks. We completed the initial phases of the NOAAnet program to unify and secure networks nationwide to reduce cost and improve performance. We still have about 13 networks with more than 10,000 circuits, and we have hundreds of connections to the Internet, which makes providing security very difficult. Obviously, consolidating those Internet points is something we are working on as well.
FEDTECH: You are also the point person for continuity of operations planning. What does that require of the CIO staff?
KLIMAVICZ: NOAA supports the nation with a wide range of disaster-response services, including atmospheric and waterborne dispersion forecasts, and helping emergency managers and first responders plan for or mitigate chemical or biological spills near the coast. My office is the lead for NOAA’s All Hazards Incident Management and ensuring compliance with the National Response Framework. We coordinate NOAA’s efforts to prevent, prepare for, respond to and recover from incidents no matter the hazard or its origin.
In addition to supporting emergency responders, my office also ensures that mission-critical IT services and information delivery is resilient in the face of catastrophic failures or unforeseen natural or man-made disasters.
The fundamental reason why continuity of operations, or COOP, is in my organization is that IT is the most critical piece. We need redundant capabilities for our mission-critical systems and services. It’s one of the areas that I am constantly exercising. Maybe we don’t need complete systems redundancy, but we need to be able to perform certain critical functions to support NOAA’s mission.
In my last job as deputy CIO for the National Geospatial-Intelligence Agency, I had the same business continuity mission. When events occur, people will go to wherever they need to in order to access technology and information. But the technology is the long pole in the tent — the thing that requires the most planning, preparation and work.
We hold quarterly tabletop disaster exercises as well as participate in national and local exercises to ensure that mission- essential functions can be performed in event of a disaster.
Another aspect of disaster preparation is emergency notification of employees. We have recently deployed a notification system supporting multiple sites. The capability is tailored in terms of alerting employees, evacuating facilities and describing needed employee actions.
We are also spending a considerable amount of time figuring out how best to support telework. We definitely think that’s important for business continuity.
FEDTECH: How extensively do you use telework now at NOAA?
KLIMAVICZ: It varies considerably by organization. NOAA is a very distributed organization. We have almost 800 facilities across the country, and we spend a lot of time collaborating. Honestly, from my perspective, it doesn’t matter whether somebody is in one of the 800 facilities or they are at home, we need to be able to work together seamlessly, so we are exploring tools, capabilities and capacities related to telework.
FEDTECH: Agencies are beginning to view smaller devices, such as smartphones, as desktops in the enterprise for IT to manage. Is that true for NOAA?
KLIMAVICZ: I think you have to look at all of these devices as computers that can enable the mission but also need to be secured. That’s why I spend a lot of time focusing on our cybersecurity efforts. I am not going to tell you how minuscule our IT security program was when I got here, but it’s grown quite a bit in three years and hopefully will continue to grow.
FEDTECH: Plus, during that time, there have been new security mandates: the Federal Desktop Core Configuration, Trusted Internet Connections, encryption of data in transit.
KLIMAVICZ: Absolutely. These are all good things to do; they all just take money to achieve.
FEDTECH: Did these mandates help you as you were trying to build up the NOAA security budget?
KLIMAVICZ: It has made it a little easier, but because NOAA’s so geographically distributed and because we are collocated with a lot of universities, our security challenges are tremendous. We are trying to improve our security posture every day, but we are not taking the approach of locking everything down. That definitely doesn’t enable the mission.
FEDTECH: What about data center consolidation? Agencies have been directed to become more energy-efficient, and greener, in their use of IT. How are you addressing that at NOAA?
KLIMAVICZ: Green IT, virtualization and data center consolidation just make good economic sense. We didn’t need a mandate to focus on efficiencies, so we have been implementing data center consolidation and green IT for many years.
For instance, let’s look at high-performance computing. NOAA has three R&D supercomputers — one at Princeton, one in Boulder, Colo., and one in Gaithersburg, Md. When we recapitalize these systems this year and next, we will consolidate from three computers to two, collocate one with the Energy Department’s Oak Ridge National Lab; using their existing data center space.
We are still working with the General Services Administration to locate another facility, but we will go from three down to essentially one facility. To me, that is a great example of how government can consolidate IT and facilities.
A lot of our data centers are collocated with satellite control or processing facilities, and we have consolidated those over the years, too. And we have consolidated all of our financial and administrative systems in one data center in Largo, Md.
Meanwhile, NOAA is building a new facility in Hawaii to consolidate about two dozen offices in Oahu that all have small IT components. So, we are collocating all IT on the island into one data center. That should help tremendously in terms of efficiencies.
FEDTECH: Are you also deploying virtualization?
KLIMAVICZ: We are, but it varies tremendously across NOAA. We are implementing virtualization as we recapitalize our IT investments. There is nothing hard about virtualization; it’s the right thing to do, and we are looking at it across servers, storage devices, operating systems and applications.
FEDTECH: Down to the desktop?
KLIMAVICZ: Absolutely. But we are not looking at one massive recapitalization of our desktops to implement virtualization. You are never going to find anybody in IT who says consolidation is a bad thing. But you need to do it strategically — when there are opportunities — just like the administration is looking at the cloud as an alternative. I think it’s actually the right thing to do; we need to look at all these as alternatives when we are making investments.
FEDTECH: Let’s get back to security.
KLIMAVICZ: We are taking a very comprehensive approach to security. Do we know all of our endpoints? Are we consolidating network boundaries? It’s a defense-in-depth approach. We’re moving from reactionary to proactive to real time. That’s an absolute imperative for a large organization like ours.
FEDTECH: What is the biggest challenge to doing that? Is it just monetary?
KLIMAVICZ: The tools that we are looking at are fairly expensive. The implementation gets easier every day, but the tools are still expensive tools to set up and to configure, and it takes a considerable amount of time for initial installation.
FEDTECH: And what about human resources? Does it require the right staff and special training?
KLIMAVICZ: It does. With a lot of these specialized tools, we are looking to industry to help us in terms of the deployment and operation.
Going to the next version or next generation of tools, combined with the fact that the threats are always evolving, makes it a constant battle to keep up. When I get asked what keeps me up at night, it’s cybersecurity and business continuity. Those are the two biggies.
It used to be that you had to do three dumb things on the computer to get infected with malware, and then it was two, then one, but now it’s essentially zero. You don’t have to do anything bad on a website or with an e-mail to get malware on your computer. That’s a challenge.
FEDTECH: Does your cybersecurity center monitor traffic and use intrusion detection systems? Is it looking for odd patterns? Can it quarantine a breech?
KLIMAVICZ: The answer is yes, but you can never be 100 percent safe. You can never guarantee security; all you can do is make it more of a challenge — and then react faster.
Typically what you are doing in an operation center is event correlation, and any one product won’t give you a complete picture of what’s going on. Your center is taking all these feeds from different tools, systems and locations, and then putting them together. It’s almost impossible for a human to be able to correlate that information quickly enough, so you need very sophisticated software to do that.
FEDTECH: From your perspective as CIO, what can the government do to innovate and lead change in IT?
KLIMAVICZ: I am fortunate being in NOAA because we have so many scientists and creative people; good ideas, creative ideas, innovation are really not hard to find. People are quick to embrace innovation in NOAA. One of the challenges is that uncontrolled innovation can lead to interoperability and inefficiency in services and capabilities. But we want to embrace the creative ideas, so I try to figure out the right sequence.
FEDTECH: And avoid chaos?
KLIMAVICZ: I believe the most effective organization is one that’s right on the edge of chaos, so I try not to stifle innovation or creativity, but rather manage it effectively.
FEDTECH: So, no chaos.
KLIMAVICZ: At NOAA, I think we are in a pretty good place.
FEDTECH: Where does NOAA fit in the IT hierarchy of the Commerce Department?
KLIMAVICZ: There are line organizations below NOAA — the National Weather Service, the National Ocean Service — that have their own CIOs and responsibilities, and we work with those IT organizations. And then going up to the department level, Suzanne Hilding is the Commerce CIO. She has a CIO Council that meets on a regular basis; we have a mature governance model for coordinating things both up and down these IT management chains.
FEDTECH: Can you discuss high-performance computing efforts at NOAA, which are extensive.
KLIMAVICZ: In the area of high-performance computing, we built a strategic plan about two years ago focused only on high-performance computing. We built the strategic plan independent of funding—funding is a pacing function, and I think the lack of funding actually helped in terms of getting everybody to agree on a strategy. We laid out a plan for where we wanted to take NOAA high-performance computing over the next five years. Then along came the American Recovery and Reinvestment Act of 2009, and we were able to secure $170 million for climate computing and modeling — jump-starting the implementation of our strategic plan.
We are following that strategic plan to the letter. We are replacing our three R&D supercomputers with two new leadership class machines. And the three computers we have today are very small by industry standards. They are dissimilar in terms of architecture so we cannot scale models across the different computers; they are essentially standalone computers, and many of our environmental models are huge and capable of consuming a tremendous amount of computing cycles. What we found with our hurricane models is that as you increase the resolution of the models, the accuracy of your predictions also increases.
FEDTECH: Since you have been at NOAA, what do you think one of your top achievements — or perhaps ways that you’ve been most effective?
I would highlight our accomplishment in establishing a strategic acquisition vehicle for IT services and products. We have made significant progress in consolidating how we acquire our IT products and services through an integrated NOAA-wide acquisition vehicle, called NOAALink. We will get improved transparency and economies of scale by bringing together similar IT acquisitions.
FEDTECH: And needs within your organization...
KLIMAVICZ: Right. And we have opened that acquisition vehicle to Commerce as well, with the plans of increasing the buying power across the Department.
FEDTECH: Do you find it extremely challenging in your agency to find people to fill IT jobs?
KLIMAVICZ: Certainly, in some areas. It’s very challenging in the areas of software engineering with respect to supercomputing. Program management and IT security are two other areas that are difficult to staff, but we have implemented several creative initiatives to improve staffing in these two areas. We have also done a lot in terms of making sure our workforce has the right certifications in the program management and IT security fields.
FEDTECH: You have had a lot of past and current experience using geospatial data and geographic information systems, which are crucial to the work that NOAA does. But there is a broader interest now in place-based management and using such data for performance management and transparency. How do you see that changing in government, and is that exciting for you?
KLIMAVICZ: This administration is putting a real emphasis on geospatial technologies and approaches, essentially geo-enabling all the data. I have been a big proponent that all data can be geo-enabled thus enhancing its value to everyone.
The administration has identified use of place-based planning as a priority for economic development, preservation of natural resources and minimizing government duplication.
Within NOAA, we are trying to bring geospatial data together to have accurate, comprehensive and easily accessible geospatial information to make better decisions. And the tools to use the data are just as critical as the data.
Critical decision making depends on the availability of reliable unbiased data, and the tools are needed to get access to the data.
The other piece that’s equally important is the visualization. We have put a lot of effort at NOAA into visualizing the data.
One example is Science on a Sphere, a room sized, global display system that uses computers and high-definition video projectors to display planetary data onto a six foot diameter sphere. It’s very impressive. There is one down at the Smithsonian Natural History Museum in the new Ocean Hall. One geospatial focus area we are focusing on in NOAA is coastal and marine spatial planning.
We also have a website called Digital Coast, but it’s more than a website. It’s bringing together diverse partners to solve and address issues. We are trying to connect different data types and instrument tools with the people that can make use of the data. What we have done is really simplify access to the data — and the tools to use the raw data. We are bringing together elevation data, land cover, orthoimagery, hydro data, marine boundary data and social economic data as well— for better decision-making.
FEDTECH: That meshes well with the president’s proposal for oil drilling off the East Coast, doesn’t it?
KLIMAVICZ: Ocean and coastal resources are already stressed by human uses, and long term trends will create ever growing needs for effective management of these resources. So we have another initiative called Marine Spatial Planning that’s trying to address how we better utilize our marine assets and our oceans. The Interagency Ocean Policy Task Force, led by the White House Council on Environmental Quality, in June 2009 tasked us to develop plans for effective coastal and marine spatial planning.
We have embarked on a fairly comprehensive initiative to improve the way we bring the data together and better utilize the marine and coastal data.
For coasts and oceans, you essentially have a 3-dimensional geospatial problem. We have already found that by making some minor changes in the way ships enter harbors, we can better protect the environment — at no additional cost to the shipping. We are trying to bring together all of the marine interests--protection of fish species and habitats, marine infrastructure such as oil drilling, as well as shipping.
FEDTECH: So you can see how these interact?
KLIMAVICZ: Right — essentially, to maximize the use of the oceans for lots of competing needs. NOAA is viewed as an honest broker in this; we are both chartered to protect the environment, but we are also trying to support the economy and create jobs.
FEDTECH: What are the technical hurdles that agencies have to overcome to take advantage of geospatial data systems?
KLIMAVICZ: Although we have done a lot in the geospatial area, especially within NOAA for the oceans and coastal areas, I would also say we have significant challenges in the geospatial area. A chief hurdle is standards.
Through different standards bodies, we have identified 24 Federal Geographic Data Committee standards. And although NOAA is a member of the FGDC Standards Working Group and a principal member of the Open Geospatial Consortium that’s defining open standards, a lot of our legacy data doesn’t conform to these standards.
FEDTECH: Legacy data?
KLIMAVICZ: We keep everything. And you really want to be able to use that data, especially the climate data. In coastal areas, it might be records on sea level height.
We are also trying to make our geospatial data available through Data.gov. We are reviewing data already posted in Geospatial One Stop (GOS) for Data.gov potential and identifying data sets and access capabilities, whether in GOS or not, which highlight the value of NOAA data to the public. You would think it would be a simple matter, but a lot of our data does not meet the standards that Data.gov has put in place. I think standards in general are a challenge with legacy data.
I also think open geospatial standards are something we need to continue pushing. Improved geospatial web services are needed to make it easier to publish the data and easier for the public to use the data.
Improved geospatial technologies and services for mobile computing are also needed.
FEDTECH: To be compatible across different types of users?
KLIMAVICZ: Absolutely. We need to make it easier to merge different data sets into an integrated geospatial service. Right now, the U.S. Geological Survey does inland hydrographic mapping, we have the lead for the coast, and the Defense Department has lead for the open ocean. If you bring together data sources from these three, you have the possibilities for data interoperability issues. Even though we have many defined standards, and we have made a lot of progress, we have a long way to go in terms of complete interoperability.
FEDTECH: Because you have that research and academic culture, is the approach to ensuring access to information different than in other organizations? Do you find that a cultural challenge for security?
KLIMAVICZ: Our culture is to collaborate with everyone, to include universities and foreign governments, and this does pose some additional security challenges. Foreign nationals have access to our supercomputers for collaboration, and the concept of using HSPD-12 credentials for authentication with non-US researchers requires us find different approaches.
If we were consolidated in terms of facilities, it would make things lot easier. But we need to figure out ways of working through these challenges and that is one of the reasons why I spend so much time with industry, with other government agencies like NOAA that have similar challenges — to understand how they are tackling similar problems.
FEDTECH: In terms of cloud computing, is that something you are using in NOAA?
KLIMAVICZ: We have been using cloud computing for a long time — especially for smaller applications. We are very comfortable with software as a service, and we are working with General Services Administration to certify and accredit Google’s IT infrastructure. We also implemented an emergency notification system that’s cloud-based.
We have used and continue using external supercomputers, and a great example of leveraging partnerships was the ability to run our most sophisticated hurricane models on the supercomputer at the University of Texas Advanced Computing Center. This effort required coordination of the computing, software, data and networks — it can be done, but there are challenges.
FEDTECH: The network is a huge issue, right?
KLIMAVICZ: A huge issue. You need bandwidth because you are moving a lot of data. One thing we are trying to do is build up our research network by leveraging existing networks. Another area that is a challenge is storage. It’s very easy in the cloud, and software as a service is fairly straightforward. But computing in the cloud — using other people’s computers — well that’s a little bit more challenging. Models and software tend to be tied to particular hardware, and the challenge is to create software standards and software that will allow our code to be truly portable.
FEDTECH: Cloud computing, virtualization, small-footprint devices are all hot topics in federal IT. But what do you think is the next big leap in technology for government?
KLIMAVICZ: We could talk about quantum computing, nanotechnology, or the semantic web. Having the National Institute of Standards and Technology in the Commerce Department is really helpful in terms of tracking the evolution of technologies.
To me the two trends that are the most relevant for the near term are the continued miniaturization of computing and also the reduced cost of hardware. Hardware is becoming less and less expensive, and the computing is becoming smaller and smaller. That poses two challenges: One is how do you take advantage of it, and one is IT security as we move to ubiquitous access.
As the hardware becomes less and less expensive, then it is not unrealistic to buy supercomputers with 100,000 or more processors. But it’s not a trivial matter to take advantage of all those processors in a parallel way. We recently hired a lead software engineer in my office to help NOAA scientists to streamline and optimize code performance and enable adoption of new tools and technologies.
We need to make it easier for our scientists who are trained in fisheries, hydrography, meteorology and oceanography to use supercomputing to the maximum extent possible.
FEDTECH: Wherever you are, whatever you are on?
KLIMAVICZ: Right, everybody is always connected wherever they are so security is a challenge.
To learn more about NOAA CIO programs, go to www.cio.noaa.gov.
