Picture of David Shive, CIO, General Services Administration.

Aug 16 2022

Q&A: GSA CIO David Shive Talks Shared Services, Zero Trust and Modernization

As the CIO who’s been at his federal job the longest, the General Services Administration’s David Shive knows what it takes to adapt for the future.

At the Government Information Technology Executive Council’s (GITEC) Emerging Technology Conference earlier this year, one name kept coming up among the federal IT experts speaking on the panels: General Services Administration CIO David Shive. Of the government CIOs currently on the job, Shive has held his position the longest — he was named to the position in April 2015 — and his experience with issues ranging from telework to IT modernization has gained the trust and support of his fellow IT professionals. FedTech Managing Editor Elizabeth Neus asked him to outline the evolution of federal information technology during his tenure.

FEDTECH: What IT changes have you seen in your agency and governmentwide since you joined GSA?

Shive: During my time at GSA, I’ve seen the role of the CIO shift from an internal IT infrastructure service provider to a strategic partner in delivering shared services to internal and external customers. We’re now running IT as a business. We are collaborating with our business partners to show the value of IT — delivering better value and savings for our customer agencies, making a more sustainable government and leading with innovation.

Technology is ever changing. We’ve seen the introduction of new technologies that are now transforming the technology landscape and enabling agencies’ missions in new ways. This includes cloud computing, DevSecOps, augmentations like AI and machine learning, and automations like application programming interface-centric architectures and robotic process automation.

EXPLORE: Why protecting federal data in the cloud is more important than ever.

At the governmentwide level, the Technology Modernization Fund has enabled multiyear transformational tech projects by ensuring federal agencies have resources throughout the lifecycle of modernization. TMF funding allows us to meet the urgency of the moment and the magnitude of this opportunity to improve government services for the American people.

We’ve also significantly improved the way the government procures cloud services. The Federal Risk and Authorization Management Program was established to provide a cost-effective, risk-based approach for the adoption and use of cloud services by the federal government.

Instead of each agency having to review and approve its individual cloud computing solutions, FedRAMP provides a standardized approach to security assessment, authorization and continuous monitoring for cloud-based services. It reduces redundancies across the federal government by creating an “authorize once, leverage many times” model for cloud products and services. 

Click the banner below to receive customized content by becoming an Insider.

FEDTECH: What changes have you seen in IT priorities?

Shive: First, agile delivery. The public demands and expects high-tech services. The federal government cannot spend months on investment decisions and take years before delivering products and services. Agencies are now focusing on smaller implementations and building proofs of concept and prototypes before scaling to the final implementation. 

Then there’s customer experience. Customers expect the same easy and intuitive services from the government that they receive when they interact with private industry. The administration’s recent customer experience executive order is critical for transforming customer interactions and rebuilding trust with the federal government. 

As the past few years have shown, traditional approaches to cybersecurity and network defense are no longer commensurate to the threats we face as a government. We need to raise the security bar, integrating zero-trust concepts into everything we do at the IT, security and assurance levels.

LEARN ABOUT: The evolution of edge computing and data analytics in federal IT.

As for the future of digital work, the pandemic has forced agencies to rethink their workforce strategies. At GSA, we’re thinking about the future of digital work and building upon the tools our employees already possess to connect with colleagues from any location. 

Finally, there is a constant stream of new and emerging services and technology that we’re evaluating to support our business lines. The Internet of Things — the ever-growing number of smart devices connected to the internet — make it easy to connect to the world around us. But IoT devices also share a lot of valuable information. At GSA, we’re investing in technology to drive smart buildings. Big Data and analytics are becoming more important, and we’ll need advanced tools not only to collect, store and retrieve the ever-growing amount of data, but also to conduct predictive data analysis and support advancements in AI and machine learning.

These two technologies, by the way, will continue to transform the way we use technology in the future. As machines learn and act intelligently, it will transform the way we, as humans, use technology to support everyday events.

The federal government cannot spend months on investment decisions and take years before delivering products and services.”

David Shive CIO, GSA

FEDTECH: What are your agency’s current priorities, and what are you doing to meet them?

Shive: GSA strives to provide innovative, collaborative and cost-effective IT solutions, while delivering excellent customer service to our federal partners and agencies. We’ve focused on five key pillars of modernization for our digital transformation — most important, our people and our culture.

As the rapid pace of technology changes exponentially, our challenge is maintaining a skilled IT workforce to meet the demands of tomorrow. It is critical for GSA to employ talented and experienced professionals who can embrace and adapt to these rapid changes and deliver quality IT products and services to our customers.

Mission delivery is another key pillar. Strong partnerships with our federal and industry partners are vital to the GSA mission. We strive to inspire and drive transformation for our customers.

Cybersecurity threats grow more intricate and sophisticated by the day. GSA is modernizing and strengthening our cybersecurity defenses to proactively address known and evolving threats. For example, our FedRAMP program provides a framework for agencies to use modern cloud technologies, with an emphasis on security and protection of federal information.

DISCOVER: The requirements for cybersecurity in a 5g environment.

In the area of operational excellence, GSA is implementing new and emerging technologies to deliver quality products and services. We are continually evaluating our internal operations to find opportunities to improve and maintain our standards of excellence.

In addition, GSA strives to be a leader in providing new and innovative IT solutions to our federal customers. As business demands increase and technologies change, we’re investing in the latest tech trends to deliver smart and effective solutions.

GSA has launched a shared services strategy to streamline the IT environment, reduce duplication, simplify technology and foster an environment of technology reuse and collaborative sharing. We want to deliver common IT business capabilities that best support GSA’s mission by accelerating modernization and adoption of common solutions across the enterprise; setting technical direction for the organization; reducing duplication and operational costs; increasing collaboration across GSA IT; and improving service delivery and overall customer experience.

FEDTECH: There was much talk at the GITEC conference about your expertise in remote work. How long has GSA been using telework, and how has that changed over the years?

Shive: Ten years ago, we made the investment in cloud technologies, policy and practice to support our mobile workforce and became a more mobile agency. So, our workforce was telework-capable. 

With the arrival of the pandemic, I think the greatest lesson I learned — or relearned — is that an organization’s end product is better when it focuses on its people. Technology is an enabler for sure, but it’s really about people. We don’t do tech for tech’s sake. We do tech for people’s sake and to support the mission of GSA. When you focus on the mission, it allows for agile pivots in what you deliver and how you deliver so that you are never far off from the business priorities of the agency, no matter how they change in response to things like a new administration.

We shared our technology best practices and lessons learned with other federal agencies that were newer to telework. But we also emphasized the importance of implementing policies and change management resources to support a successful hybrid workforce.

376.9 Million

The square feet of office space owned or leased nationwide by the General Services Administration

Source: GSA.GOV, GSA Properties, Feb. 24, 2022

FEDTECH: What IT changes has GSA made to adapt to new procurement methods as IT modernization continues?

Shive: To drive IT modernization efforts, GSA is reassessing traditional processes for procuring and delivering IT services. Fixed-price contracts limit the federal government’s ability to take full advantage of the benefits of cloud technologies, Software as a Service solutions and other leading-edge technologies.

These pay-as-you-go technologies allow federal agencies to rightsize their procurements by offering the flexibility to buy services as they are consumed, instead of overbuying. They require lower upfront costs, can be scaled to meet changing customer needs and allow customers to change service providers when prices fluctuate over time.

FEDTECH: What does GSA need to do to create a zero-trust environment?

Shive: GSA recently was awarded TMF funding to modernize legacy network systems and advance our zero-trust architecture strategy. We are beginning by focusing on the three zero-trust building blocks that we believe are foundational. 

For users and devices, we are seeking to modernize and redesign our 20-year-old Active Directory stack and align to a new ICAM [Identity, Credential and Access Management] target architecture to ensure secure authentication and identity validation for key personas, including GSA staff, partners and public access, using cloud-based solutions where possible.

For networks, we are aiming to break down our traditional perimeter-based approach in favor of moving security directly to the users, devices, applications, and data. Here we have two key efforts focused on achieving microsegmentation. 

REVIEW: IT modernization efforts, as agencies work to upgrade legacy systems.

Deployment of a SASE [secure access service edge] solution will directly connect users everywhere, at home and in offices via broadband, to a central security stack that then achieves secure authentication, validates identities and negotiates access at the application level.

Achieving microsegmentation within our building security network in 500 GSA buildings that house operational technology and IoT devices will support the running of our buildings. This is key to addressing the nascent state of security in this area and will further our efforts to combat challenges like ransomware that target this space.

Last, we are focused on further modernizing our security operations center and expanding it to also cover our governmentwide shared services. Here we have invested heavily to achieve security for workloads in the cloud that is reciprocal to what we have on-premises. To achieve this, we are investing in security automation, custom dashboarding, detection aligned to application workflows and business functions, and ongoing curiosity hunting. 

By implementing these modernization efforts, GSA will improve user experience through seamless global connections to GSA-managed environments and applications while maintaining a zero-trust architecture. We will improve cybersecurity capabilities to continually verify the security of users, devices, applications and data, and achieve broad-based visibility across the GSA ecosystem with enhanced capabilities leveraging automation to manage and respond to threats in real time.

aaa 1

Register