Hord Tipton | Interior redesign
Interview with Hord Tipton, Interior Department CIO
- By Wilson P. Dizard III
- May 30, 2006
GRIZZLED VET: Tipton, here with one of Interior's wildlife displays, has tackled tough challenges.
Interior Department CIO Hord Tipton has wrestled with some of the most daunting challenges in federal IT: When he took the job in an acting role in mid-2002 (he received a permanent appointment six months later), the department was reeling from a Dec. 2001 court order that disconnected almost all Interior systems from the Internet.
That order resulted from a multibillion-dollar lawsuit brought by beneficiaries of Individual Indian Trust accounts held by Interior's Bureau of Indian Affairs, based in part on the ability of hackers to burrow into the trust accounts.
Over the past 3 1⁄2 years, Tipton and his staff have upgraded systems security and managed to get almost all the department's systems reconnected to the Internet, although BIA's site remains offline. Interior has also addressed security criticism from its own inspector general, while the House Government Reform Committee last year lowered the department's FISMA grade from C+ to F.
Meanwhile, Tipton and his colleagues have also been working to consolidate systems on fewer networks and platforms.GCN: How have you been working to complete the reconnection of the Interior systems that remain offline?Tipton:
Getting up to speed on that has been a real chore over the last year. We've been catching up on a lot of time that we lost by doing such routine things such as monitoring and policy updates. Tuning [National Institute of Standards and Technology] publications and policies to Interior's needs also was a burden.
And my security staff losing all that time producing 4.5 million pages of documents for the court last year, which set us back in terms of keeping up with a number of security requirements.
I am not saying that that had a huge impact on the overall [IT] security of the department, but it kept us from meeting various directives and mandates and expectations from the inspector general's office and places like that.GCN: Is that the reason your grade went down from the preceding year?Tipton:
I think that had a whole lot to do with our grade going down, in that security is a constantly moving target and FISMA in many regards is kind of a black and white test.
It doesn't ask you what the risk is by not being up to a certain level. But they expect you to be there. So when the question comes, it's 'Did you meet [certain requirements] on all your systems?' But there is not a follow-up question, such as 'What do you use in its place?' or 'What was the impact of that?'
It's you met it, or you didn't. If you didn't meet it, you lose 10 points.GCN: What's the status of your certification and accreditation of Interior's major systems?Tipton:
We are at 98 percent. And we are at the point now of monitoring those C&A [documents]. There's been a lot of discussion about the value of C&A [evaluation]. We want to be on record as saying that C&A is a very good process. On the other hand, there is the danger of doing a C&A and then walking away and forgetting it.
Because you could do a C&A this month, and [next month], if you haven't kept up, new vulnerabilities have come out, you don't have the monitoring piece in, then your C&A is diminished. So we put a lot of effort into maintaining [C&As], making the whole process more mature.GCN: What's the status of your financial business modernization system integration contract that you recently awarded to IBM Corp. after removing BearingPoint LLC from the project?Tipton:
We did a new competition on a very fast track. The winning integrator of that system was IBM. So IBM will do the integration piece of that and it will be hosted by our National Business Center.GCN: The department never said why it removed BearingPoint from that job. Can you now say why?Tipton:
I can't answer that in a lot of detail. We simply chose to sever the relationship. There were questions in the earned-value piece had a lot to do with that. It was a business relationship that, about all I can say, didn't work out.GCN: You have IT consolidation efforts across the various bureaus of the department'how are they going?Tipton:
We have essentially closed 13 wide area networks and are now operating through one. We had 35 ISPs and we now operate through five high-throughput ISPs.
That's been done in phases. Phase one is essentially complete. We hope to complete phase two, which is getting actual management of the border routers and the servers down to the bureaus by the first of June.
We could look at that as a security upgrade in that it provided a 24/7 monitoring security layer over all of our LANs and desktops throughout 2,500 offices, which is a very significant improvement in our security. I think we are pretty much on schedule.GCN: Does this produce savings, too, when you reallocate the resources for maintaining these WANs and other systems?Tipton:
It does. You can do quick calculations that going from 35 ISPs to five will save roughly $2 million a year. That's just the very top of it. It gives us the opportunity to reassign peo- ple to new work areas that fit among operating over a common, centralized network.GCN: Any other new initiatives?Tipton:
We are still trying to get our messaging consolidated. We operate on three: Lotus, Novell and Microsoft. We are consolidating on Microsoft Exchange.GCN: How long will it take to do that?Tipton:
I had intended on being done last September. So we are behind schedule.GCN: Was that a money issue?Tipton:
If I could point to one root cause of how things get delayed, it's probably money. Money doesn't come forth as we expect and that often results in extending your schedules. The bureaus have had some resource problems, too.GCN: What is the status of migrating your PCs and servers to [a common operating system].Tipton:
We have done quite a bit there [standardizing on Microsoft Windows XP]. Just in consolidating servers, we haven't gone to a centralized server farm but the bureaus, in a staging type of approach, have on their own consolidated their servers.
Our number of servers is considerably less than what we had a few years ago. It is probably 25 percent, or even less than that, of what we had even three years ago. So services are already being provided at a centralized point of distribution [in many cases].