Karen Evans is the US government's top IT executive -- essentially, its de facto CIO. Her official title is administrator of the office of electronic government and IT at the White House Office of Management and Budget. Evans, also director of the Federal CIO Council, recently spoke with Computerworld about the government's IT operations.
Federal IT isn't always seen as cutting-edge. "Antiquated," "stovepipe" and "legacy" are words frequently used to describe it. Are they still apt?
"Antiquated," "stovepipe" and "legacy" is probably accurate at several of the major departments, but that isn't necessarily a bad thing. I don't think the government needs to be on the cutting edge, but we do want to be on the leading edge. For example, when the president wanted to make sure that we were improving security and that federal employees had good [inter-agency] credentialing verification procedures, the technology didn't exist at the time. We made it very clear what our requirements were, and industry came through and invented the technology that we needed.
Now we have an integrated solution between our logical systems and our physical systems. That's a huge undertaking. Normally, you would think [it would take] five to 10 years for the government to do that. We did all of that work in less than two years.
What kind of efficiencies are you getting from that?
What was happening in the past is when you moved from Agriculture to Justice , they would run all the same business processes again to revalidate that you are who you are. We're not doing that anymore. In some of these positions, it would take six months to a year to get somebody to just move [to another agency]. So we set a metric of 45 days from the time a job is posted to the time the person actually appears on the job site, regardless of whether it's an internal candidate or an external candidate.
The aging of government IT workers and outsourcing are sometimes tied together....
Are they tied together in your mind?
The real short answer is no. We have done surveys and identified our skill gaps. A lot of things we're talking about that you would [put out to bid] -- like a data center type of service and some of these hosting services -- those aren't some of the areas that we have identified as critical skill gaps for us and our workforce.
We've actually broken them out into four areas: project management, security, enterprise architecture and solution architectures. We have the authorisation to fill vacancies in these skill gaps, so what we're working on is major recruitment activities, like internships [and] outreach to the universities. We have been quite successful in the cybersecurity area. But [recruits] have a tendency to go to the intelligence agencies, because people get pretty jazzed about working [there].
What changes have you made to improve IT security within the government, and what still needs to be done?
We just recently released a policy dealing with Microsoft and standard configurations [for Windows Vista and XP]. When I really analyse what the issues are associated with our security going forward, we have a couple. The first part is people. People really have to understand the purpose of the information and how to secure the information.
The other part is basic types of system development and maintenance, like configuration management. With the policy that we just released, this is our opportunity to standardise the configuration [of Windows] all the way across the board in every federal agency, down to every desktop.
When the government has a standard configuration, it makes it so much easier to maintain patches. That really is the heart of the issue. When you get down to "Why did that incident happen?" - a lot of times, it's because that particular system wasn't fully patched. We are also telling vendors that this is the standard configuration, so you have to make sure your products work on this configuration. That's a big change.