Sharing information is critical for federal homeland security and counterterrorism programs, and as the program manager of the Information Sharing Environment, Kshemendra Paul is responsible for overseeing efforts to provide integrated information for national security operations.
Along with Kathleen Turco, associate administrator of the General Services Administration’s Office of Governmentwide Policy, Paul recently wrote a paper titled “Responsible Information Sharing: Engaging Industry to Improve Standards-Based Acquisition & Interoperability,” released by the American Council for Technology–Industry Advisory Council (ACT-IAC).
Paul has been involved in information-sharing programs for much of his federal IT career. While working at the Justice Department, he led initiatives such as the National Information Exchange Model, a governmentwide program for sharing data.
Paul spoke with FedTech managing editor Matt McLaughlin about the ACT-IAC report and federal information sharing.
FEDTECH: What are the key points that people should take away from the ACT-IAC report on responsible information sharing?
PAUL: The point we’re making is that the way to drive responsible information sharing is through a focus on interoperability. And it’s information interoperability. You need to have the network interoperability — the technical levels — but it’s all about the information and being able to effectively share responsibly, protect it and safeguard it from a privacy and civil liberties and civil rights perspective, as well as from a security perspective.
The paper talks about a holistic approach to how you do this. It talks about things like leveraging the government’s strategic management processes, budget and planning, requirements development activity and acquisition. But it’s not about acquisition per se. There’s all this prep work you have to do to get to good acquisitions.
It talks about engaging with standards development organizations where the government is committed to working with international existing standards organizations. There’s existing policy from NIST and OMB about how to do this. This is fully in line with that and encourages strategic engagement and standard processes — again, tied to where we’re going to be spending money and where we have mission requirements.
FEDTECH: How would interoperable exchange standards achieve the information sharing that we’re looking for, and what kind of benefits would that bring?
PAUL: In any large IT system, 80 percent of the risk and 60 percent of the cost come from two things: legacy interfaces that are one-off, point-to-point interfaces; and homegrown identity credential and access management frameworks. To the extent that we can look at the information exchanges that are the most broad-based and look to standardize those, it will drive cost savings and mission improvement, and it will enable new whole-government approaches to solving the problems we face.
The major problems we face today— whether it’s homeland security, counterterrorism, transnational organized crime or public health — across the board and inherently, these are multi-organizational, cross-jurisdictional problems, so you have to be able to do effective information sharing. We’ve got to move away from the one-off, point-to-point model to share in a more systematic and standardized way. It doesn’t mean standardize everything; we’re talking about information in motion. We’re talking about broad-based information sharing. So that’s the kind of stuff that is worth taking on upfront overhead to standardize, to realize that cost savings and mission impact downstream.
FEDTECH: What is ISE’s role in information sharing, and what is the agency doing specifically to foster that?
PAUL: Our vision is national security through responsible information sharing. We have a three-part mission. Part one is advancing counterterrorism- and homeland security–related information sharing. Part two is more information-focused; it’s helping catalyze and move from information ownership to stewardship across different stakeholders. Part three is more capacity building; it’s partnerships, engagement. We bring together federal, state, local, tribal and private-sector entities to build capacity to address the challenges in our space.
FEDTECH: What kind of improvements have you seen in information sharing in the federal government over the years?
PAUL: The government’s big, but we have made progress, albeit slowly. One of the things that I highlight is the Nationwide Suspicious Activity Reporting Initiative, neighborhood watch for the nation. It codifies what police officers have been doing for 150 years, walking a beat or driving a radio car, seeing something out of place, and taking action to protect their communities. In the past, that never got further than that officer. It might end up on a 3-by-5 card in his pocket that goes through the wash. Maybe it ends up in a records management system at that local police department, but it’s now shared. We’ve systematized how that works.
Since 9/11, we’ve really pioneered a new business model for the whole government — federal, state and local. Those police officers are not being paid for by the federal government; they’re being paid for by local property taxes or state taxes. But they’re an integral part of the whole-government solution. States and localities are invested, the federal government’s invested, in a common solution creating this infrastructure for effective information sharing at the federal, state and local levels. We have sensitive but unclassified and classified connectivity to public safety. So that’s a big success in my mind.
From an IT perspective, I’d highlight the work we have done with NIEM, the National Information Exchange Model. We’re driving a common standards framework, a common lexicon, a common methodology for describing business processes. It’s gotten a lot of traction: Nineteen cabinet agencies are using it, and it’s been adopted by many states, most recently the state of Virginia. They want to tackle this issue of legacy interfaces and have standardized, information-centered interfaces versus point-to-point, IT-centered interfaces.
FEDTECH: How challenging is it to try to balance the need for information sharing with privacy concerns?
PAUL: We find it’s not a balance; it’s a question of strengthening both. To the extent that you’re doing a better job demonstrably in strengthening how you safeguard information, it gives you the confidence to do more effective and responsible information sharing. You increase both in tandem. It’s not an either/or situation. Key to the way we operate in our federated democracy and our open society is the legitimacy of public safety. That’s trust that the community has and individuals have.