Homeland Security information security improves

Six years after the Homeland Security Department started operations, integrating the information technology systems of its 22 formerly separate agencies remains a primary, ongoing information security project for DHS’ senior leadership.

The integration and consolidation of DHS’ existing IT systems and architecture have proven difficult for many of the same reasons that other agencies have encountered. However, unlike other administrative tasks at DHS, IT management and information security can have an immediate effect on a DHS component agency’s operational performance. In addition, the IT programs at individual agencies were tied to each agency’s culture, mission and history.

As the department marks its sixth anniversary, current and former DHS officials say they are proud of the progress made in information security during those years. DHS received a B+ on its 2007 Federal Information Security Management Act score card, up from a failing grade of F two years earlier.

Margaret Graves, DHS’ new acting chief information officer, who has worked on the department's IT programs for five years, said DHS has its sights set on getting an A. However, many steps remain in the department’s IT transformation program.

Officials are moving seven existing component agency networks to DHS’ OneNet enterprise network, and individual agencies are in the process of moving to two departmentwide data centers for storage. Officials say the consolidation will improve efficiency and security.

“It gives people an opportunity to move to enterprise services, and in the security aspect, it allows them to use common tools for monitoring the network, common tools for doing analysis on any kind of intrusions that may be promulgated against the DHS entity as a whole,” Graves said.

DHS agencies that have migrated to OneNet include Customs and Border Protection, Immigration and Customs Enforcement, Citizenship and Immigration Services, Transportation Security Administration and the DHS headquarters’ unclassified networks. Customs and Border Protection (CPB) is the department’s network steward of OneNet and also has set up a consolidated network operations center and a security operations center.

“When the department was first established, we had totally separate networks that did not talk to each other, so the first step in getting to OneNet was to establish an interlink between all those networks,” said Charles Armstrong, CBP’s chief information officer.

In addition to providing efficiencies and economies of scale by bundling purchases, Armstrong said OneNet also improves information sharing and security. The consolidation will allow DHS to reduce the number of its primary gateways to the Internet from about 100 to two, he said. Reducing the number of gateways is part of the Office of Management and Budget’s governmentwide Trusted Internet Connections (TIC) effort.

“One of the big selling points on OneNet was to establish, first of all, a common network so that we could easily exchange that information,” Armstrong said. But they also wanted to put the right security in place “so that we control the access that we need to have in a trusted environment between the different components with the different missions,” he said.

In May 2008, under a Networx contract, DHS awarded Verizon and AT&T contracts worth as much as $971 million during the next 10 years to provide a range of those services for OneNet. That included network portals, managed network services, Internet access, remote access and the new emergency communications services that DHS plans to deploy to improve responses to man-made and natural disasters.

Armstrong said awarding that contract was a milestone in OneNet. DHS has so far made about 100 orders to upgrade circuits, the wide-area networks that link different components and locations to one another via OneNet, and he hopes to transition all of the circuits by the end of fiscal 2010.

Karen Evans, who recently retired as OMB’s administrator for e-government and IT, said DHS has deployed the best practices from other agencies.

She also said that for the governmentwide TIC program, OMB looked at how DHS implemented network security and assigned roles and responsibilities to its CIO. The goal of the Trusted Internet Connection is to improve security by reducing the number of Internet gateways across the government from thousands to about 100.

Getting support

When Steve Cooper, DHS’ first CIO, started work there, he had to decide how to forge an IT architecture that would meet the mission and security needs of a diverse group of agencies while also moving toward a unified architecture for the department. He also had to contend with individual agency cultures, budgets and history.

Cooper said DHS’ senior leadership supported his plan for IT integration, but some individual agencies had reservations about losing autonomy over their unclassified networks.

When DHS first began to build interconnections and share information across components, they were essentially “poking holes… figuratively speaking, in what [other agencies] had accomplished, so people were naturally resistant,” said Cooper, now a partner at consulting firm Strativest.

After some trial and error and consultation, the department determined that a federated approach such as OneNet was the best solution. Cooper said that he didn’t think it was the best use of resources to ask Congress and OMB for funding to build an entire new network.

The Office of the Director of National Intelligence has also taken a federated approach to IT integration. Dale Meyerrose, until recently its CIO and now head of cyber and information assurance at Harris, said that in integrating intelligence agencies’ IT, he wanted to reduce agencies’ autonomy but not necessarily their authority.

“It has to do with numbers,” he said. “Do you allow thousands of decisions to be made in a hundred places or thousands of decisions in a handful of places?”

Cooper said that in DHS’ case, different component agencies brought different IT management competencies that they could provide for the entire department, such as CBP’s network stewardship and Coast Guard’s e-mail management.

Graves, DHS’ new acting CIO, said the goal is not to build centralized capabilities for DHS but rather to make DHS agencies stewards of departmentwide functions.

Armstrong of Customs and Border Protection said getting agencies to buy into OneNet required the project’s leaders to demonstrate its value. “I would say where there’s some caution on the part of some of the components is that, to some degree, they’re having to give up control of operations of their networks to another entity, and any time a CIO does that, he risks some degradation in service,” he said.

The key to successfully implementing DHS’ enterprise strategy has been centralized governance and distributed execution, Graves said. The participation of the component agencies’ CIOs in shaping the departmental IT strategy and resource allocation, accomplished through the department’s CIO council, was also important to the process, she said.

“It’s all of the good minds around the table that are applied to that — it’s back to this centralized model that allows them to voice their opinion, to have a hand in the business processes on how we are going to transition, to the sequences of the transitioning and, most importantly, to the resourcing of it,” she said.

Looking ahead

Evans said a key for DHS’ progress in IT security had been sticking with the governance structure and policies that DHS’ initial leadership put in place, along with using the CIO council effectively.

“They didn’t change the process,” she said. “What they did was keep maturing the process. They really worked hard at making that internal council work.”

Now that the department has an IT foundation, Evans said, the emphasis would be on making sure the effort fits with the priorities of Janet Napolitano, DHS’ newly confirmed secretary, and the new heads of the department’s agencies. Information integration is not yet seamless, Evans noted.

Armstrong said DHS is in the phase of IT integration that’s focused on getting better control of data that is flowing in and out of networks, thus improving security. He said eventually DHS should be better able to share information that is important for intelligence fusion and situational awareness.

“Our ability to provide that kind of data sharing between components and across the department in the future is paramount to us being what the American people want us to be,” he said.

With the ongoing work on OneNet, the level of data sharing that officials envision might be years away, but Cooper said the difference between now and when he started is already significant.

“If you compare where we were Day One, which is…nowhere with regard to sharing information or behaving as one unified [department] with regard to information assurance and information security, and compare that to where the department is today, I would tell you it’s night and day,” he said.

“I’m not saying it’s been a perfect ride,” Graves said. “We have had a few stumbles along the way, and we will probably in the future. But the most important point to take away from this is that when we have those issues we resolve them as a team and they are [all] participants in the process.”