DHS Special Report | Forward Motion
Amid widely documented IT failures, security advances and infrastructure upgrades are gaining traction at DHS
- By Wilson P. Dizard III, GCN Staff
- Jun 16, 2006
MAKING THE GRADE: While DHS has earned failing grades for its systems security for the last two years, CISO Bob West's security evaluations could be helping to turn things around.
The mood in the meeting room at the Homeland Security Department's CIO of-
fice was tense already when Bob West made his proposal.
It was midday on a Wednesday in early
spring last year, and the department's
CIOs had gathered in the nondescript
federal building near L'Enfant Plaza in
Washington for their weekly review of
DHS' most pressing technology issues'a
regular meeting that routinely called
forth strong opinions.
West, the department's chief information
security officer, was proposing to send
an IT security evaluation team'what the
CISO office called a 'boarding party''into
one of DHS' 'big six' agencies, the headline
organizations that field thousands of
technology users and hundreds of systems.
The idea wasn't going over well with
the CIOs in the room'except for one.
West's group already had conducted a security
evaluation at one DHS agency, finding,
among other things, that the agency
had a poor grasp of its own systems. The
CIOs at the meeting, who had pushed back
at West's IT security evaluations from the
beginning, vocally condemned the proposal
for a second boarding.
Recalling the meeting, West said, 'I didn't
say anything, which is unusual for me.'
But in a moment that suggested a sign
of hope for West, and DHS, the CIO of
that first agency reviewed by the boarding
party spoke up to defend and recommend
the security evaluation.
'The CIO said the boarding party
process was 'one of the most empowering
things that ever happened to me as a
CIO. Now, [IT professionals in the
agency] are coming to me with their
problems,' ' West recounted.
Charles Church, now CIO of DHS' Preparedness
Directorate, who attended
that meeting, recalled that moment and
its deeper impact: 'It allowed the CIO to
reassert control. As a CIO, IT security is
one of my two clubs. Procurement control
is my other club.'
It was a small ray of light, perhaps, but
one that helps reveal the other side of DHS'
story. Even as the department has stumbled
through project failures, stalled during
leadership vacuums and withstood withering
criticism, DHS has delivered some projects
that serve as exemplars of technology
management and are improving prospects
for better project performance.
The special report in this GCN issue and
the next pinpoints these examples of DHS
technology leadership and traces how
their success could help the department
improve other stumbling IT operations.
This issue focuses on IT projects already
well under way that incorporate pockets
of progress, while the next issue of GCN
examines pending or fledgling programs
that show the way forward. They range
from traveler identification and port
monitoring systems to terrorist screening
applications and online mapping sites.
These successes have been accomplished
against a backdrop of well-known
failures, including an array of IT projects
that are in many cases delayed, over
budget or performing poorly (see chart).
Stumbling blocks have included turnover
in critical leadership jobs that has left
many component agencies rudderless, as
well as the department's drifting course
and subsequent disruption by secretary
Michael Chertoff's Second Stage Review
shake-up last year. But in some areas at
least, DHS seems to be turning a corner.
At a glance, IT security might not appear
to be a pocket of progress. It has been but
one leitmotif in DHS' three-year, off-key
symphony of costly, failed technology projects,
which according to the steady flow of
audit reports, news stories and congressional
hearings, have delayed the agency's
deployment of IT to meet its mission.
DHS has earned failing grades on its Federal
Information Security Management
Act scorecard for the last three years.
And IT security remains one of DHS'
most glaring vulnerabilities, officials concede.
'We have a long way to go,' said
Tony Cira, the CIO office's director of information
operations and a veteran Defense
Department IT manager.
But advances in security technology and
procedures appear to be laying the groundwork
for better performance.
'We have gotten beaten up on security,'
CIO Scott Charbo conceded. But he said
there is 'real security value' in several
pending department projects, such as the
rollout of employee credentials that will comply with Homeland Security Presidential Directive 12.
West contends that his security operation
will certify and accredit 100 percent
of DHS' systems by the end of fiscal 2006.
Currently, about 60 percenr are accedited.
Through this activity, West's office has
engaged the department's IT officials in the
task of assigning ownership to all of the
more than 700 systems in the department.
During interviews with senior department
IT staff, they cited estimates of the
department's systems ranging from 760
systems to more than 800, and eventually
conceded that methods of counting
In addition to its overall problems in
mounting specific programs, the department
has inherited a hodgepodge of agencies
with widely varying goals and dissonant
James Lewis, director of the Center for
Technology, said, 'Even within agencies
that have been around for a while, there
really isn't a single approach.'
But West and his team are driving to impose
uniformity across the department by
various means, such as adopting certain
National Institute of Standards and Technology
IT standards and building a common,
mandatory standards framework.
In addition, technology leaders have
pinpointed which agencies are leaders
and laggards by compiling a chart that
describes, among other things, the percentage
gap between the total number of
each component's systems and those that
have been certified and accredited.
According to the chart, the Coast Guard
is the best-performing agency, with all of
its systems certified and accredited.
Close behind is the U.S. Visitor and Immigrant
Status Indicator Technology program,
which has only 2 percent of systems
not yet certified and accredited. Those
agencies, and others with low proportions
of unexamined systems, qualified
for 'green' C&A ratings.
Other agencies, such as the Transportation
Security Administration, had higher
levels of unexamined systems as of April,
according to the chart, and earned yellow
The worst rating level is the red designation,
earned by agencies such as the Federal
Law Enforcement Training Center
and the Office of Intelligence and Analysis,
with gaps well into the double digits.
Cira said he plans to bring in the National
Security Agency's Blue and Red teams
of IT security specialists to analyze DHS'
networks and systems, and pinpoint areas
In terms of IT security,
West said, 2005 was the
year of creating a systems
inventory and installing
automated systems for security
compliance, such as
Trusted Agent FISMA
from Trusted Integration Inc. of Alexandria, Va.
'In August 2005, we
kicked off a week-long security
event at which secretary
[Michael] Chertoff announced
remediation plans,' West
said. 'In 2007, it will be the
year of raising the bar.'
The department will rely
on role-based training, tailoring
employees' security knowledge
levels to their job needs, West said. That
will be done with the assistance of an enterprisewide
learning management system
to implement and track training
progress, he said.
'When I came in this job in July
, we were red-red [on security],'
Charbo said, referring to the department's
failing grades on security status
and on security progress.
'We are still red on status, but we are
green on progress,' Charbo said.
As the department begins to shore up its
shaky security posture, it also will press
forward with a comprehensive technology
upgrade that already has brought good
results, and promises to improve new
projects' chances for success.
Acting CIO, Rear Adm. Ron Hewitt of the
Coast Guard, led the effort when DHS technology
officials planned the IT Infrastructure
Transformation Program in early 2005.
The most important way ITP differs
from the department's previous technology
upgrade efforts is that it drives the responsibility
for planning and managing
specific IT upgrades down to DHS' major
component agencies [GCN, Aug. 29,
2005, Page 1]. 'Putting the ownership of
the [IT makeover] projects in those components
is just a way of leveraging [their
capabilities],' Charbo said. For example:
- The Coast Guard was given responsibility
for consolidating and reforming DHS'
e-mail systems and help desk operations.
- Customs and Border Protection got the
job of merging DHS data centers and
networks, notably on a sensitive but unclassified
network known as OneNet, as
well as secret and top-secret networks
that have allowed the department to almost
eliminate its reliance on the Pentagon
for classified network services.
- The Federal Emergency Management
Agency took control of providing sensitive
but unclassified video network services.
- The Office of the Chief Procurement Of-
ficer took the job of consolidating the
department's IT purchasing via two
procurement vehicles, now pending
award, known as Eagle and First
Source [GCN, Aug. 22, 2005].
The department's CIO office established
an ITP Management Office to ride herd
over the components' execution of the
But ITP also tapped the technology
management resources of DHS agencies
that were in many cases better funded
and more mature than the headquarters
ITP already has scored a signal success that affects the daily work of thousands of
DHS employees. In October, the Coast
Guard rolled out a consolidated directory
of the e-mail addresses of DHS employees.
Previously, the department's employees
and their contractors had no simple
way to make contact with their counterparts
in other DHS agencies.
The Coast Guard is still working to consolidate
DHS' gaggle of e-mail systems,
which range from the time-worn Lotus
cc:Mail through various Microsoft and
But now at least, DHS is beginning to
achieve the ability to talk to itself.
'Before we got this directory, distributing
a simultaneous departmentwide message
via our counterparts in other directorates
was a difficult exercise,' one department
official said recently.
'We did it by cascade: We would send
it to one directorate office after another
and then arrange to have it released
across each directorate simultaneously,'
the official said.
DHS officials expect the e-mail consolidation
program to reduce the number of
servers devoted to that function from about
1,200 to about 30, with attendant improvements
in security, reliability and cost.
Department officials look for substantial
improvement in their IT procurement
when the Eagle and First Source contract
awards roll out this summer.
The department's network and data center
consolidation project will supercharge
DHS' ability to upgrade systems security,
eliminate redundant applications, pare
back needless network traffic, and gain
control over architecture and standards
'The ITP is a program management discipline,'
Cira said, noting that a central
function of the project is to standardize
the department's IT management work.
So far, DHS officials have kicked off
ITP's rollout of FEMA's video services
work and the Coast Guard's help desk and
e-mail projects, Charbo said during a recent
ITP's future stages have been planned and
are poised for launch, Cira added. 'Right
now, it is not a matter of making it happen,
we are doing it,' Cira said. 'We have the
specifications, and we have the design.'
During a discussion of DHS' pending IT
projects, Charbo said, 'I came into this
job in July . It is hard to build a
service-type organization overnight.'
But Charbo's own performance appears
to have met with his superiors' approval,
because he recently received the
additional job of deputy secretary for
management. While his new job likely
will saddle Charbo with additional,
time-consuming duties, it also gives him
final say over the department's technology
agenda, as many have recommended
[GCN, June 5, Page 5].
The department's security upgrades
and ITP systems makeover appear to
have improved the prospects for success
of other DHS technology projects, which
in turn could become additional pockets
The other stories in this issue examine existing
DHS programs that are delivering results
and improving their performance in
the fields of screening and targeting, maritime
domain awareness, geospatial activities
The improvements from these projects
reflect how DHS itself is gradually coming
'For the first two years, we didn't have a
strategic plan [for managing IT],' Preparedness
Directorate CIO Church said,
referring to his directorate's predecessor
organization, the Infrastructure Protection
and Information Awareness Directorate.
'Now, we are in Version 2.0 [of our
directorate's enterprise architecture] and
soon we [will] have Version 3.0.'
DHS' technology structure still faces
steep obstacles, not to mention resourceful
and determined enemies as well as serious
But as for winning the battle to create a
functioning IT environment, the department's
current status recalls the words of
Winston Churchill when the Royal Air
Force won the Battle of Britain. 'This is
not the end. It is not the beginning of the
end. But it is the end of the beginning.'
NEXT WEEK IN GCN: DHS technology
projects either being planned or in their
early stages hold out the hope for improved
performance in the fields of data center
and network consolidation, radio frequency
identification devices and biometrics,
border technology and IT procurement.