Update on NOAA IT Security and 30Day Assessment

1
Update on NOAA IT Security and 30-Day Assessment

• Joseph KlimaviczNOAA CIO
• February 13, 2007

2
IT Security Update

• Certification and Accreditation (CA) Status
• 134 IT systems total
• 98 IT systems secure
• 36 IT systems without full Authority to Operate
  (ATO)
• 32 IT systems ATO will expire in CY07
• CA Way Forward
• ATO for 23 of 36 systems without an ATO by end of
  March
• ATO for 30 of 32 systems with expiring ATOs by
  the end of CY07
• 4 systems without valid ATO at the end of CY07
• Encryption
• Laptops 55 are FIPS 140-2 encrypted
• Personal Digital Assistants (PDAs)
• Ongoing efforts to capture inventory in CAO
  database
• Product issues have delayed PDA encryption

3
IT Security Update

• What Weve Done
• Detailed 2 people from IT operations to IT
  security
• Worked with DoC CIO to identify CA automation
  tool
• Met with DoC IG
• Debrief 2006 CA results
• Described 2007 CA expectations
• Met with all LO CIOs
• Assessed IT security and built integrated CA
  schedule
• Identified 10 packages to submit to DoC IG
• Personally Identifiable Information (PII)
  Implementation, and IT Security Training
  memorandums distributed
• Plans
• Meet with OMB to discuss priority IT security
  needs
• Schedule for FISMA CA packages
• April 1, 2007 to NOAA OCIO
• May 1, 2007 to DoC CIO
• June 1, 2007 to DoC IG

4
Future IT Security Management
As is
To be

• Centralized Policy
• Insufficient asset management, processes,
  automation, and change control

Centralized policy/governance, NOAA-wide
processes, monitoring, and metrics, comprehensive
architecture, and workforce plan
IT Security Effort
OCIO IT Security Officers
IT Security Effort
Quality Assurance Data Validation Guidance to
System Owners
Line Office IT Security Officers
Decentralized Implementation
Conduct Risk Assessment Implement
Controls Provide Documentation
Line Office System Owners
Decentralized Monitoring
5
Path Forward Guiding Principles for IT

• Simplify, standardize, automate
• Reduce burden and add value
• Plan, invest and implement NOAA-wide
• Focus on enterprise-wide solutions
• Consolidate and eliminate duplication, e.g.
  NOAAnet
• Be creative with recruiting and retaining talent
• Professional program management

Common Solutions to Common Problems to Improve
Service and Reduce Cost
6
What Has Been Done

• Security
• Established security metrics
• Reallocated 2 people to security
• Worked with NOAA CFO to fund IT Security from
  earmarks
• Worked with DoC CIO to identify CA automation
  tool
• Met with DoC IG
• Built integrated CA schedule
• Identified 10 packages to submit to DoC IG
• Defined PII Implementation
• OCIO Role
• Conducted All-Hands
• Met with most key stakeholders and visited
  several operations
• Developed revamped OCIO web-pages
• Instituted daily mission readiness meetings
• IT Talent
• All vacancies being advertised
• Technology
• Inventory of systems

Secure NOAA IT
StrengthenNOAAs IT Security
Lead NOAA IT
Build NOAAs OCIO
Transform NOAA IT
Understand what NOAA has and what NOAA needs
7
What Needs to be Done

• Plan Develop actionable Enterprise Architecture
  to build in IT security, and develop IT
  Modernization Plan for FY10 per PDM
• Invest Develop and implement comprehensive IT
  Workforce Improvement Plan to include the Line
  Organizations. Identify Project and ITRB to
  approve expenditures gt25K
• Secure Develop and implement comprehensive
  Information Assurance Plan, and simplify,
  standardize and automate the processes
• Implement Establish NOAA CIO Program Management
  capability and link to Line Organizations
  execution

Align Organization to Support These Key
Priorities
8
Transforming NOAA IT
Program Management and Leadership
OCIO
NOAA CIO input to LO CIO performance evaluation

• NOAAnet PM
• Help Desk PM
• HPCC PM
• Others as needed

Oversight of funding, schedule and performance,
to include Service Level Agreements
Shared program management funding
Program Funding and ExecutionCenters of
Excellence (COE)
OAR COE
NWS COE
NOS COE
NESDIS COE
NMFS COE
NOAAnet Ops/RD HPCC
Web Portal, Phones RD HPCC
CLASS
E-mail
Notional Examples Help Desk

Project identified and ITRB to approve gt25K
expenditures (June 12, 2001 DoC memo)
Providing Common Solutions to Common Problems
9
What is a NOAA Center of Excellence?

• What is a COE?
• An entity or single organization that is a
  provider for an operational capability that
  fulfills a cross-organizational need
• Centralized core IT operational functions
• Drivers of change
• Why have COEs?
• To achieve economies of scale for NOAA
• Institutionalize lessons learned and aggregation
  of expertise, i.e. critical mass
• To drive innovation and streamlined processes
• Why be a COE?
• Resources to strengthen core skills
• Ability to direct resources on core skills
• Agency and Government-wide recognition for
  excellence

10
Key Shifts to Transform NOAA IT
How do we shift to execution of NOAA-wide efforts?
Unity of Effort
Multiple/Duplicate Efforts
11
Key Reasons to Transform NOAA IT
Whats in it for me?
Common Solutions
Common Problems
12
NOAA CIO Key PriorityTransformation Roadmap

• Lead OCIO champion
• Partners IT committees, LO staff, other s
• Timeframe Feb - Apr

Strengthen Revitalize Plans ? Plan IT
Transformation

• Build Security Embedded Architecture
• Information Assurance Plan
• IT Modernization Plan for FY10
• Develop IT Workforce Improvement Plan

Define and Build PMO ? Manage IT Transformation

• Lead OCIO
• Partners LO CIOs, OCIO Staff
• Timeframe Feb - Apr

• Define OCIO organization structure
• Review and Update Documentation and Policies
• Identify Project and ITRB to approve
  expenditures gt25K

• Lead LO CIO and OCIO PM
• Partners OCIO Staff, LO Staff
• Timeframe Apr on...

Build COEs ? Transform IT
Implement Centers of Excellence
COE 1
COE 2
COE 3
Performance Metrics ? Monitor Transformation
13
Path ForwardShort-term Roadmap
COE 1
Value Proposition
Stakeholder Interviews
Work Team Planning
COE 2
COE 3
30 Day Assessment
Leadership Team Alignment Session
CIO Council Briefing
Leadership Team Alignment Session
NOAA CIO 500 Day Plan
NEP/NEC Briefing
Implement Centers of Excellence

• Understanding of stakeholders perspective on the
  current state
• Clarity on stakeholders priorities

• NOAA-wide Strategy
• Draft NOAA-wide IT priority goals
• OCIO Implementation
• OCIO Vision, Mission, Value Proposition
• OCIO organizational realignment plan w/PMO
• Draft OCIO CIO Council priority plans (e.g. IA
  Plan, Workforce Improvement Plan, EA with IT
  Security, IT Modernization Plan)

• NOAA-wide Strategy
• Alignment on objectives to support each IT
  priority goal
• 500 day Roadmap with success criteria
• Short term priorities and plans
• Performance Metrics
• Accountability for each initiative

14
Oversight

• GEOLoB/FGDC
• NEP
• NEC
• NOSC
• PMC

CIO and D/HPCC 1.5

• NOAA CIO Council
• HPC Board
• NITRB

Budget and Administration 6/1
High Performance Computing and Communications
(HPCC) Office 2.5
Homeland Security Program Office 5
Secure
Plan
Invest
Implement
Operate
Information Assurance 1
IT Policy, Planning and Architecture 1
IT Resource Management 0
IT Program Management 0
IT Operations and Support 4
Cyber Security 4 / 2 vac
Enterprise Architecture 0/ 1 vac
IT Capital Planning And Portfolio Management 2
NOAAnet (PM) - 1
NOAA Executive and Staff Office Support 30 / 1
vac
Risk Management and Incident Response 0
Help Desk (PM) - 1
Business Relationship Management 0
Asset Management 0
Corporate Business Applications 24
Compliance Management 1
Phones (PM) - 1
Vendor/Supplier Management 0
IT Strategy, Planning, and E-Gov 1
Other Ops Boulder Library - 7 / 1 vac Network
Operations - 10 Phones - 2
Web Portal (PM) - 1 unfunded
Privacy and Records Management 0
IT Workforce Management 0
IT Policy Management 3
Performance and Results-Based Management 1
15
Summary

• Agreement on Priorities
• Agreement on Approach
• Agreement on Path Forward

16
Backup
17
30-Day Assessment

• IT security fragmented and lacks enterprise-wide
  controls, standards and tools
• OCIO role and authority not exercised in NOAA
• One NOAA IT progress limited
• NOAA IT has not evolved with industry best
  practices
• Lack of focus on attracting, retaining and
  growing IT talent

OCIO Should be the Flagship of NOAA IT
18
Gartner IT Maturity ModelIndustry Best Practices