HHS mirrors Google, bank regulators' IT shortcomings and more

HHS CTO wants 20 percent innovation time policy

In its early days, Google allowed engineers to take 20 percent of their time to work on side projects. The unusual move led to such innovations as Gmail, Google News and Google's lucrative self-service advertising platform AdSense.

Susannah Fox, the new chief technology officer at the Department of Health and Human Services, wants to bring some of that Silicon Valley mojo to her organization. In a blog post on the future of the department's IDEA Lab, she proposed that each operating division at HHS establish a "creativity zone" that would give employees "protected time" to test problem-solving ideas.

Fox also wants to eliminate some roadblocks to innovation by addressing the lack of interoperability between HHS divisions' email and calendar systems. "A major barrier to cross-departmental collaboration is our inability to share calendars, schedule cross-agency meetings or work virtually across the HHS network," she said.

Additionally, Fox is calling on HHS officials to find new ways to reward managers who encourage innovation and to let operating divisions come up with their own programs modeled on the HHS Innovates Awards. She also plans to solicit help from the White House on ways to allow proven innovators to move across HHS divisions or work at other agencies.

Feds who test bank security need IT training

Regulatory agencies that are responsible for reviewing banks' IT security often have little or no IT training, according to a Government Accountability Office report on financial cybersecurity. Furthermore, one of the regulators lacks a necessary oversight authority, and financial system watchdogs often miss the forest for the trees.

Banks have lost hundreds of millions of dollars in recent years to ATM skimmers and hackers who take over accounts via phishing attacks, malware installation and keylogging, while distributed denial-of-service attacks and data breaches have hampered financial institutions' ability to function, GAO auditors said.

However, only large institutions tend to be well-examined by regulators.

GAO said the four major financial regulators -- the Federal Deposit Insurance Corp., the National Credit Union Administration, the Office of the Comptroller of the Currency and the Federal Reserve -- had limited numbers of examiners with IT experience, so medium-sized and smaller banks are often examined by regulators with no IT knowledge.

The report notes that all four agencies were increasing IT training for examiners.

GAO also recommended that Congress give NCUA an authority it currently lacks: the ability to routinely examine the security of third-party tech companies that serve banks to keep those firms from becoming back doors for hackers.

In addition, GAO recommended that regulators develop big-picture data on vulnerabilities across the financial industry and analyze trends rather than focusing on individual institutions. The four regulatory agencies agreed with that recommendation.

OPM asks Congress for $37 million more for IT migration

Office of Personnel Management officials sent an email message to lawmakers on June 26 requesting an additional $37 million to migrate its IT systems to a new architecture in the next fiscal year, OPM spokesman Samuel Schumach said.

The message to multiple congressional committees, including appropriators in the Senate and House, was a response to queries from lawmakers about what additional funding the agency needed to fortify its IT systems, he said. It was not a formal budget request.

OPM Director Katherine Archuleta has been under fire from Congress for her response to a set of devastating hacks that have left millions of federal employees' personal information vulnerable. The agency plans to move its 50 IT systems and several sub-systems to a new environment known as the Shell. However, OPM Inspector General Patrick McFarland said the planning for that migration has been haphazard.

"OPM is not following proper IT project management procedures and therefore does not know the true scope and cost of this project," he said last week during testimony before the Senate Homeland Security and Governmental Affairs Committee. "The agency never prepared a project charter or conducted a feasibility study or even identified all of the applications that will have to be moved from the existing IT infrastructure to the new Shell environment."

Joint Chiefs' strategy emphasizes JIE

The military strategy released this week by Gen. Martin Dempsey, chairman of the Joint Chiefs of Staff, gave a nod to the Joint Information Environment for providing a "foundation for future interoperability."

The military is "in the process of defining the next set of interoperability standards for future capabilities," the strategy states, adding that the key to ensuring access in "contested environments [will be] deploying secure, interoperable systems between services, allies, interagency and commercial partners."

JIE is a Defense Department-wide initiative to standardize and consolidate IT networks. Although top defense officials have said JIE is crucial to interoperability, a Joint Chiefs official said last week that he was unhappy with progress on a key JIE project known as the Joint Regional Security Stacks.

"A lot of people are happy about where we are [with JRSS]. I'm not," said Lt. Gen. Mark Bowman, the Joint Chiefs of Staff's director of command, control, communications and computers/cyber.