For better or worse, the Department of Housing and Urban Development is a bit of a guinea pig. Its "New Core Project" to move financial systems to the Treasury Department's Bureau of Fiscal Service, still in process, has been lauded as the federal government's first department-level shared service.
The process has not been without its pain points. HUD's inspector general pointed to concerns related to system design and development and schedule management deficiencies, as well as initial rollouts. But the IG is also who pressed HUD to modernize its financial systems, or risk noncompliance with regulations. And so, the transition continues, and if you ask HUD CIO Rafael Diaz, it's on track. He spoke to Federal Times Editor Jill Aitoro about where the effort stands and what's next in IT.
So HUD transferred your financial and acquisition systems to the shared service at Treasury. Can you tell me a little bit about that?
The financial and acquisition move to shared services at the Department of Treasury, the [Administrative Resource Center (ARC)], was actually started before I came. There had been multiple efforts to make changes to the financial and acquisition processes that had not been so successful and so the thought was, let's go to shared services. Shared services makes sense. So we just recently, Oct. 1, converted over to the shared services process. I think it is a culmination of a lot of very good planning, decision making, and the ability to make a difference and to transform how we do business at HUD.
That is the first phase of how we are moving our financial systems over to the ARC – looking at the program transactions. Most of what HUD does is financial transactions so [the question becomes] how do we manage what piece? Grants and payments, for instance, is a big piece that we are looking to move over.
As you make these moves, what does that mean for your IT infrastructure? How has that been reshaped as a result of utilizing the shared services?
It gives us more versatility, more flexibility, and it helps us to focus on the program offices, on the program needs. So what are the missions at HUD and how do we implement more innovative solutions for that mission? We are out of the commodity IT, if you will; move those over to shared services and now we can focus on the mission.
Can you tell me a little bit of what the top priorities are for you now, what you have accomplished and hope to accomplish?
We started actually about a year ago. We came in and said, "What are we going to focus on? How are we going to focus our energy?" [We decided] let's look at four strategic initiatives. They may seem broad but they really focus our energy on transforming how IT is done at HUD. First, get the commodity IT done. Get that out of the way so that it is a service being provided to HUD, and the office of the CIO does not have to spend resources, personnel, federal resources on it. Next, how does the office of the CIO best support the business mission? By learning the mission, by understanding the business. So the office of the CIO becomes a very close partner with the business, understanding what their objectives are, and how can we best support them with the systems that we are implementing.
The third piece is to be fiscally responsible. How can we lower our operational costs, operation and maintenance, and save that money to be more innovative, which leads us to the fourth strategic goal – to implement innovative mission solutions for the business side. So that led us to focusing on workforce, on HEAT, [or the] HUD Enterprise Architecture Transformation. How do we transform the architecture? How can we implement mobile, [and] cloud solutions? How can we move to the cloud and how can we look at the technology as a business, and how can we manage it more effectively?
What you have accomplished so far?
[As part of] the HEAT initiative, we outsourced our network to AT&T. We [then] wanted to do everything in a shared services model using the GSA model and so we went to the GSA for our mobile devices. We looked at Microsoft for a solution that would provide us cloud, Office 365, and a software development kit so that we can provide that all in one enterprise solution, based on active directories for single sign-on. And we are building that out for [customer relationship management]. Now we are looking at how we are going to move the data center and get systems integration into that new environment.
So are you actually consolidating the data center?
Yes, we are looking at shared services, a federal data center, that we can consolidate into. Right now we have two data centers. We are moving them into a federal shared services space.
We have a very diverse workforce and we are looking at how we start to build that team to better implement a shared services capabilities from an enterprise perspective. So as we are building out our capabilities for the business, our teams are learning the business, learning how to implement shared services, learning how the architecture fits into a solution, and then learning how to implement that overall for HUD.
So basically almost an internal training to then push it on down to the workforce.
Yes, an internal training to implement all these capabilities at HUD so that the Office of the CIO is not just an IT shop. It is an enabler. It understands the business, understands the technology, and can put the two together to enable the business to be more effective.
So looking a little backwards, you, of course, came from Illinois. How do the two compare in terms of how they operate?
Same problems, same issues, same risks. They exist governmentwide. And I worked also in the City of Chicago, not so much in the IT shop, but I was a forensic scientist in the Chicago Police Department. You see the same types of issues are pervasive. But the magnitude at the federal level is far greater… I think the one common denominator or need in any of the government levels is leadership to make change happen. And change needs to happen. It always needs to happen and we often times resist change as an organization, as individuals, but as we look at how we improve, it is all about changing. It takes leadership because frankly change is kind of scary. When you are building a whole new infrastructure and you are building a whole new IT capability in a federal cabinet-level agency, that gets scary; people get nervous that you are going to change all this, what is going to happen, how are we going to be managing this, do we have the right skills, do we have the right resources, do we have the right processes? Those are great questions that you need to be able to answer.
At the federal level there is some very rich, deep, well-trained, intelligent, and capable resources. It is very exciting to be part of this team, because they are the ones that make things happen. If they see that you are moving in the right direction, they will be glad to move in that direction. So it is all about leadership and how you can get people excited about change, excited about their role in the change, and excited about the vision for the future.
You also have a background in security. Looking at the cyber security posture of federal government, what do you believe needs to happen now?
The same thing that had to happen in Illinois and that is leadership, insured services, understanding where the risks are, understanding where the data is, understanding who owns the data, where is it going and where is it coming from, and then being able to manage that. Implement appropriate controls. It is really the same story but again, more magnified. It is just a bigger, bigger problem. And I really commend [the Office of Management and Budget and [the Department of Homeland Security] – OMB [for] the cyber sprint that now has turned into a cyber marathon, and DHS [for] the work that they are doing for continuous monitoring. The [Continuous Diagnostics and Mitigation] project that they are building, which are shared services for detection and monitoring – that is the critical stuff that needs to happen. How are we sharing information? How are we sharing the resources? Where do we know is our data so that we can protect it more effectively?
In your opinion, do we need a federal CISO like we have a federal CIO, to look across all of government and drive the cybersecurity guidance forward?
That is a great question. Since I was at state [government], I always looked at DHS as kind of being the federal CISO, because they have the capabilities. They were working very closely with me at the state level to improve our cyber security posture. So I think it is absolutely necessary, that leadership to be able to see across the landscape and understand where the issues are and start to operationalize those capabilities is critical.
Regardless of where it resides, whether it is White House or DHS?
You have some interesting opinions on where the CISO should reside within an organization. Tell me about that.
When I was the CISO at the State of Illinois, I continuously argued not to report to the CIO because I think – and I believed it then and I believe it now – security is not necessarily a technical issue. There are technical problems certainly. There are technical solutions, absolutely. Technology has to be involved unequivocally. But the bigger problems are political; there are the social, the people, the processes, and how we are managing our business. How does the business view security? Is it an afterthought that needs to be integrated into everything that the business does, because security can improve the processes, the business? If we look at how we implement security across an organization, it can improve the performance of that organization, because those controls will improve the processes and will improve the performance of the organization. So it is absolutely essential.
And now that you are a CIO?
Now I am a CIO and I say, I can operationalize this. Maybe is because as a CIO I understand the issues that the CISO has and I support them and I look at it more as an alliance. As a CISO, I always felt like I was fighting an uphill battle. It was not always as good a relationship as it could have been just because it is difficult to see how the security pieces fit into the overall architecture, fit into the overall processes. But as a CIO now, I can go either way. I am certainly not tied to any specific location for the CISO but I do like to be able to operationalize and control [the security component]. Certainly I can see the CISO rolling up to a higher level to like the chief risk officer, for instance, or a chief operations officer, because like I was saying earlier, the problem with security is not necessarily a technology problem, but an overall business process problem. So the risk officer can actually have a better view of the overall risk within an organization and implement the information security more effectively.
Jill Aitoro was editor of Defense News. She was also executive editor of Sightline Media's Business-to-Government group, including Defense News, C4ISRNET, Federal Times and Fifth Domain. She brought over 15 years’ experience in editing and reporting on defense and federal programs, policy, procurement, and technology.