VA sets four-part systems agenda
- By Preeti Vasishtha
- Aug 07, 2002
John Gauss, Federal IT Journeyman
Henrik G. DeGyor
As John A. Gauss was preparing to retire last May after serving in the Navy for 32 years, he received a call from a friend in the private sector asking him to consider applying for the position of assistant secretary for information and technology at the Veterans Affairs Department.
That night, a slightly reluctant Gauss found himself browsing the department's Web site, www.va.gov
. After reading congressional testimony and General Accounting Office reports about VA, the rear admiral said to himself, 'Been there, done that - and I think I can help.'
He took the CIO post that summer. Gauss oversees systems and telecommunications for veterans' medical and benefit programs and the department's financial management.
In his final naval post, Gauss was commander of the Space and Naval Warfare Systems Command. That job followed a series of engineering and systems management posts over the life of his military career, including a stint as the deputy director of engineering at the Defense Information Systems Agency.
Gauss - who has received numerous honors from the Navy and Defense Department - has a bachelor's of science degree from Cornell University. He also has master's and doctorate degrees in electronic engineering from the Naval Postgraduate School.
Staff writer Preeti Vasishtha interviewed Gauss at his Washington office. GCN: When you took your post, the Veterans Affairs Department had security problems, fragmented telecommunications and no enterprise architecture. What's changed?
GAUSS: First, I had to ensure the department developed an enterprise architecture that was meaningful and usable, and would deliver it into the future.
My second goal was to modernize the telecommunications infrastructure.
The third was to enhance cybersecurity. Security is my top priority, but you can't secure the enterprise until you have a sound architecture and a robust network that you can understand and manage.
The fourth mission was to implement a disciplined program management process, which had been lacking here. And finally, I wanted to establish performance metrics from customer, user and technical standpoints.GCN: What's next?
GAUSS: As we roll out the enterprise architecture and modernize the network, I will look at the skill sets of our IT folks, their grade levels and the number of workers.
When I ask if we have the right number of workers, skills and grades for what we need to be doing five years from now, the answer is no. We are going to be moving at such a pace in the next few years that if we are not defining our work force requirements and managing them, we are going to be in deep trouble.
We also have to look at the kinds of jobs folks do. There is a lot of IT work that should be done by industry. For example, we don't need government employees to do tech support. We can get that service from a contract.
Certain functions are important for the government to do, and it's important that the government has the technical competence and understanding of what industry is doing. How can you be a smart buyer when you do not understand what you are buying?
Tech leadership with independence is an important function for the government. Mundane functions in IT are services you can buy. The general policy is to contract brawn and hire brains. Too often, we hire the brawn and contract the brain.GCN: What's your enterprise architecture plan?
GAUSS: We have put in terms that people understand the steps for implementing the Zachman framework, which emulates classical architecture to establish a common vocabulary for defining and describing enterprise systems.
The first step is that you have to understand the enterprise from a business perspective. What are the business functions that make up the organization?
We have 10 main business functions within VA focused around veterans' benefits, and seven key functions that let us conduct these missions, such as financial management.
The second step is to identify the data sets associated with each business function.
The next step is to take the business functions and decompose them into subfunctions. Then take the data sets and identify their data elements.
Step 4 is to look for duplication across subfunctions and inconsistencies in data. Establish a vision of where you want to be in the future.
As you go from business to data, you also identify the requirements that led you there. Identify the timeframe in which these requirements must be met, the people who are going to meet them and where they will be done.
Once you have established this vision, a technical reference model and a set of standards, you have the necessary data in your enterprise architecture so people can look at it as a road map to build their future IT projects.
When folks read it, they say, 'This makes sense.'GCN: How have things changed since Sept. 11?
GAUSS: VA has not radically changed how it does business as a result of Sept. 11, but it made us look at some things, like our continuity of operations process, or COOP.
Today, this involves backing up our corporate data center systems to tape and flying them to a remote facility run by a contractor.
This relies on basic assumptions such as the availability of commercial air travel and people to make the trip.
Under a scenario such as the Sept. 11 attacks or the anthrax scare, will the place where we have contracted to do our COOP be oversubscribed? Where do we stand in their priorities? These questions suggest we should be thinking about using our technologies to perform COOP.
Sept. 11 also highlighted areas where we don't have backup and we should. That's getting folded into the enterprise architecture.GCN: What's the status of VA security efforts?
GAUSS: Probably the biggest problem at the department was the lack of an enterprisewide antivirus program to protect computers against viruses such as Nimda and Code Red. That implementation has been completed. We have eradicated several million viruses.
We've also introduced a standard firewall policy. We have a program in place that depends on network modernization.GCN: The Veterans Health, Veterans Benefits and National Cemetery administrations have a history of working independently. How do you get them to work together?
GAUSS: I have two very powerful tools.
First, I have a lot of support from secretary Anthony Principi. Without that kind of support, it would be a lot tougher.
The second is the Clinger-Cohen Act. I know a lot of people scoff at it. But if you go read it, the CIO has a big veto stick.
I would say I disapprove about 30 percent of the IT requests that come across my desk. I disapprove them if they are not compatible with our enterprise architecture, and that gets folks' attention. I am not using it as a hammer; I am using it as a management tool.
I believe in seeking consensus, but I don't believe in compromises. The difference is that if you compromise, you give up an equity that is important to you. You can reach consensus if you don't like it, but you can live with it. If you can live with it, you have not forsaken fundamental equity.GCN: More than a third of the VA work force is eligible for retirement by September 2005. How does this affect VA's IT strategy?
GAUSS: Our plan to address our IT personnel needs may involve some retirement incentives and some cross-training. It also will involve focused recruiting.
We are desperately short of electrical engineers and computer scientists, so we will go to engineering colleges to recruit engineers.
We don't represent the face of the American work force. Where we are short, say in African-American engineers, we will go to Baltimore to the Black Engineer of the Year conference and set up a booth to recruit folks to apply for these jobs.
I believe that if you recruit right, you will get quality applications. Targeted recruiting gives you a better chance to fit a need.GCN: Can you convince veterans that their information is safe with you?
GAUSS: We are not as secure as we should be. We have taken a fair number of positive measures to that protect information, but are we 100 percent secure? No.
We will be deploying intrusion detection devices inside our intranet to protect against internal and external attacks. We will be using encryption devices before data packets leave the building. We will look at the implementation of public-key infrastructure.
Do we have protections? Yes. Have we driven down the probabilities of bad things happening? Yes. Are we where we ought to be? No.