Federal agencies have lived through government shutdowns and prepared for floods, earthquakes and hurricanes. They’ve written, tested and revised business continuity plans designed to keep operations running in dire circumstances. But they’ve never been through anything like COVID-19.
While traditional business continuity practices tend to focus on short-term disasters and outages, the coronavirus crisis forced agencies to send employees home for months. FedTech magazine asked federal IT leaders to discuss how systems and staffers met the challenge. We spoke with Jerry Golley, CIO of the Farm Credit Administration; Jack Gumtow, CIO of the Defense Intelligence Agency; Edward Mays, executive director for the Enterprise Data Management and Engineering Directorate at U.S. Customs and Border Protection; and Vaughn Noga, CIO of the Environmental Protection Agency.
Editor's Note: For our full series of Q&As with government IT leaders on how they pivoted to remote work, click here.
FEDTECH: What portion of your agency usually teleworks, and what sort of increase did you see during the pandemic?
Golley — A large portion of our staff does audits. They’re traveling a lot, so it’s a mobile workforce. We also have a large portion of people who telework one day per pay period, so a large number of people were mobile-ready. What we didn’t know was if we could support everybody teleworking simultaneously. Previously, we might have had half the agency at any one time working remotely.
Mays — In my organization, about 20 percent of the population normally teleworks three days a week, but we’ve always been prepared for the larger telework in case of emergencies.
Noga — We have a fairly robust teleworking culture. Prior to this, we were at about 58 percent of the agency teleworking, and that was one or two days per pay period. Now, we’re at about 96 percent of folks teleworking.
FEDTECH: What IT situations arose that you did not expect?
Gumtow — Suddenly having a huge portion of our workforce and day-to-day tasks pushed to an unclassified environment created surprises that we had to quickly address. For instance, the seemingly basic process of maintaining up-to-date email distribution lists was not in place on our unclassified systems.
Then came another unexpected IT dilemma: realizing that not everyone could access their unclassified official email accounts properly from home. We settled on Microsoft Teams, and our team worked tirelessly to implement the government-sponsored version of Microsoft Office 365 that our people love. We paired this with a government-sponsored, Common Access Card–enabled capability that allows us to post information and share documents within a government-managed unclassified environment.
Golley — We had some paper processes for package routing, and frankly, staff was happy with the paper processes. But as soon as everybody was at home, it became a requirement that we automate and digitize those processes.
So there might be a policy that would have to be signed by the chief operating officer or chairman, and we’d have a cover sheet put on the package in order for it to be routed from one director to another. We created a workflow that simulated that experience digitally.
Also, everybody immediately wanted to videoconference. We made a decision to go with Webex, and we worked with Cisco to enable everyone to get access quickly. We had a user support team that was on call to help them with any problems. I was really impressed with how focused the team was. Working from home, they stepped up, they learned the new technologies quickly and met needs as people had them. We had our first virtual board meeting using Webex in April. Everyone, including the chairman, participated in that meeting from home.
Noga — One of the things I have under my purview is our enterprise operations center, the nerve center for monitoring our applications and infrastructure. Having those people not there, having that only minimally manned, that was a bit of a concern. But people are adjusting and using the collaboration tools, doing their monitoring from wherever they are, and it’s worked out well.
Employees transitioned to telework status, and they continued to do their jobs, across the board. Before, we had deployed technology, including laptops and cloud technologies like SharePoint, OneDrive and Teams. We had the capabilities in place, and we were able to exercise them immediately once we moved to full-time telework. We have redundant VPN solutions. We did experience some issues with that early on. For the first couple of weeks, we were battling some reliability issues due to capacity and were moving from around 3,000 sessions per day to around 12,000 sessions per day. We worked with AT&T to fix that, and we haven’t had a significant VPN issue since.
FEDTECH: How have employees responded to the move to remote work?
Golley — I’m a firm believer that 80 percent of the job is showing up, and then you figure out what happens during the day and you solve it. But you can show up at home too. The same rule applies. Even though they’re working from home, everybody is showing up and being there and solving the problems as they occur, and being very patient and working together to get things done.
I find myself working harder. I’m glued to my chair all day long dealing with issues. I’m a manager who likes to manage by walking around. I find myself working longer hours in the day and just saying, “Hey, what’s going on at the computer now?” at 6 p.m. or 8 p.m. I think that’s a common experience too.
Noga — I’m ever an optimist, and I was expecting what we’re seeing. Folks are coming in virtually, if you will. We’re getting the job done. I haven’t seen a drop in performance. The tolerance for trying new technologies has gone way up. Teams adoption has been tremendous. We were just piloting Teams a couple of months ago with 600 people. Today we’re at over 10,000 users. It’s been a rapid adoption, and people are more comfortable with using these new technologies.
Mays — All the things we’ve heard thus far have been incredibly positive. A lot of my peers have said they’re really surprised that we can keep all the tools and systems up and running.
I think it’s important in terms of teleworking to honor the boundaries of the workday. I work a lot, I’m pretty intense, and so my workday goes from really early to really, really late — I’m talking midnight, because the volume is so large. But as a leader, I’ve had to make sure that I’ve followed the rules of the road in terms of workday schedules for the people who work for me. When 5 p.m. comes, people want to go have dinner with their families.
We had to give ourselves the ability to shift work so we can get the work done among the teams and allow people to support their new family paradigms.
FEDTECH: How are you ensuring cybersecurity during this massive increase in telework?
Golley — We had a really good and robust vulnerability management process, a weekly security briefing, even before this pandemic happened. We’ve maintained those security briefings. We asked ourselves how security has changed because of this, and we’ve tried to address those issues and concerns and risks. We have agents on the laptops scanning for vulnerabilities and malicious software remotely, and then reporting back whenever they connect with our domain. We got an alert just today that there are phishing attacks coming from a specific email address domain, so we went in and immediately blocked that email address. Server patching and laptop patching haven’t stopped or slowed down. We’re as aggressive as ever.
Noga — The agency continues to manage distributed technologies centrally — applying routine patches, actively monitoring the network and systems, deploying new technologies that reduce common threat vectors. The infrastructure was set up so we can remotely manage machines wherever they sit. Remote support technologies are a part of our infrastructure. We’re still responding today like we responded in February.
Mays — Almost everyone has equipment furnished by the government, and they are tunneling in with a VPN. They are using their standard PIM cards, and they’re using their mobile devices, like an iPad or a cellphone, that have derived credentials. So, in terms of security, I think we have the same sort of security level as we have at the office. Just because we’re working from home doesn’t mean we don’t have to follow the same sort of policy guidelines as we do at work. We have to ensure things like screen lock are in place, people should not be behind you or monitoring what you’re doing.
Gumtow — Anything done on the unclassified environment, by its nature, is not secure. My goal has been to implement capabilities that provide a level of security that is commensurate with the level of operations and work being conducted. Does that mean it is impenetrable? No, it doesn’t. What it means is that we have and are implementing tools and monitoring activities, and we’re educating our workforce on the risks and how to operate within that environment. This includes knowing what can be shared and what they can do on the unclassified environment.
FEDTECH: What did you learn about your agency’s ability to handle telework that you didn’t know before?
Mays — This is a great opportunity for us to learn, and to push out capability to frontline users. Just having that capability at hand inherently will cause some sort of organizational change and drive us to also become more effective and efficient. That’s what technology does for us.
There are things that require you to be physically present. If you’re in Border Patrol and your trucks need to be looked at, you can’t do that well remotely. And there are things that I do, like changing configurations on servers, that can be done remotely. It all depends on the situation.
Golley — I think this will definitely change our policies. First of all, what is going back to normal going to look like? We’re going to have to be cautious for a long time, and things are going to be different. I personally think it will change not only how our agency functions but probably how the government and commercial entities work as well.
Noga — Everything we’re doing now will affect the continuity of operations plan going forward. The simple fact of onboarding new employees, that’s traditionally done in person. Now we’re onboarding new employees virtually. We’re shipping them laptops and other tools they need to do their jobs, and we’re configuring them remotely, and we had to think about how to do that while engaging in social distancing.
Gumtow — My biggest takeaway is a reminder of how resilient and adaptable people are. Done the right way, telework offers flexibilities and conveniences for our workforce that just weren’t a part of the equation a few months ago.
Moving forward, telework will always be part of DIA’s equation. Within the DIA CIO organization, I’ve set the goal of 33 percent of our team working in a hybrid telework status at any given time, permanently. This pandemic provided our team a wake-up call about how we can operate differently yet still be effective.
Digital composite: Fourleaflover/Getty Images (map); Margarete Oti/Getty Images (laptop)