MeriTalk Q&A: DOJ CIO Rogers Grades Out IT Strategic Plan Progress

With the Justice Department’s (DOJ) IT operations at the midpoint of executing a three-year IT strategic plan, we asked agency CIO Melinda Rogers a few weeks back for a run-down on progress with the plan so far, some of the advancements still in progress, and how the five pillars of the strategic plan are making a difference for the operations of DOJ and its 40 or so agency components.

Rogers – who knows DOJ’s IT operations like few others after three years as CIO and eight as the agency’s chief information security officer – responds with a detailed evaluation of steps the agency is taking to meet the strategic plan’s goals across a range of crucial fronts including service delivery, cybersecurity, workforce, and more.

The following Q&A – edited for length – captures the CIO squarely in her element of both strengthening the far-flung agency’s technology base and security, while at the same time making way for innovation across all of the components that the IT organization supports.

MeriTalk: Melinda, you are overseeing the execution of an ambitious 2022-2024 IT Strategic Plan, with pillars of innovation, cyber, service delivery, workforce, and financial transparency. Before we catch up with those though, you are CIO of a highly federated agency with dozens of components, can you give us some thoughts about how you approach that, and how the IT intensity has grown at the agency?

Rogers: The technology mission at DOJ has evolved as we continue to grow and adopt and incorporate more and more IT in what we do day in and day out. When I started in this job 13 years ago, IT was a thing, but nobody expected it to be where it is today – to be so ubiquitous and to be so ingrained in everything we do.

As the department CIO, I have the responsibility to look at the overall IT investments across the entire organization. This ties into one of the pillars in my strategic plan for the Department of Justice – how are we spending on information technology, are we getting everything we can out of our expenditures, and are we leveraging IT to achieve better efficiency to help our mission operators be more effective? That’s one of my primary responsibilities.

A second element of my primary responsibility is of course cybersecurity. I started my career in the cyber space within DOJ and became its CISO, and then then CIO. So cyber still remains near and dear to my heart. I am a big believer that we can enable mission operations and achieve that smooth customer experience while maintaining a cyber-secure posture. It should not be a trade-off, they all need to happen.

MeriTalk: We tend to look at DOJ as one big agency, but it’s really a great big group of components. What’s that number up to these days?

Rogers: DOJ has about 43 or so components. On any given day, small ones might get stood up, others might get decommissioned, but probably about 40 or so component offices. About 20 or so are large enough to have their own IT director or component CIO. We have to work together on ultimately achieving success for the entire department.

What I mean by that is there are certain services that I as the department CIO am responsible – infrastructure layer, collaboration suites, commodity-type services, and telecommunications – those are all the foundational structures that we need to have in place for the entire department to operate and interoperate.

But the reality is our missions are so different. It runs the full lifecycle of law enforcement from investigations on the law enforcement side, prosecution by U.S. Attorneys, to incarceration through the Bureau of Prisons (BOP), and then through parole with the U.S. Parole Commission. It’s a full lifecycle with very different needs and different operations.

So it’s about how do we come together, leverage things where we can on a standardized form that saves headaches for everybody, but ultimately enable component offices with very specific mission needs to do what they need to do comply with the cybersecurity requirements of the department, and align with the department’s IT standards, but still have flexibility to fulfill their specific operational needs and necessities.

MeriTalk: So, there’s some differentiation at the component level, but some uniformity of services coming from the top of the organization?

Rogers: Exactly. We are looking to create as much standardization as possible, because the IT world is complex enough as it is. And then wherever the dividing line makes sense for the components to pursue their own mission needs without undermining the department cybersecurity program and our attempt at standardization, then it’s really creativity and flexibility to fulfill operational needs. That’s really how I and the component CIOs all approach doing business together.

MeriTalk: That sheds a lot of very helpful light. Let me ask you a bit about the five pillars of the IT Strategic Plan – the first of which is embracing innovation.

Rogers: You could go in so many different directions with that. What I mean is it’s not just about adopting the shiniest new object, but it’s about changing how you do things, changing the processes.

On the component level, they probably have more of an opportunity to pursue something that’s new and upcoming for their specific mission applications because it’s quantifiable in scope and size and something that you could quickly spin up and maybe fail quickly at the local office level. Because we do things for the entire department, the inability to afford a failure is something that becomes a governing factor for us in terms of the speed at which we move forward.

In broader terms of embracing innovation, I’ll give you an example. We do have one component – U.S. Attorneys – they have been the market leader in incorporating an identity verification solution as part of their overarching identity management program. They are well ahead of the department in terms of defining the governance structure, the processes, and identifying the right tool sets or combination of tool sets to enable a smooth customer experience. In that instance, this is where a component office has led the way in the effort in the department as part of our zero trust strategy.

We’re trying to standardize how we go about managing our identity information, the digital identity of all of our employees and contractors. This is where I would say probably it’s a different path from what previously was done at the department. This is where we’re leveraging experiences from U.S. Attorneys in their combination of solutions, looking at different IT capabilities and working closely with them to determine how do we leverage the investments that they’ve made that we could adopt at the department level and then propagate out to the rest of the department.

So it’s really sort of bringing in the best ideas that we see at the component level to push out and share with each other.

MeriTalk: And that runs straight into the cyber pillar – and the zero trust component – of the 2022-2024 IT Strategic Plan.

Rogers: I know it’s been overused, but it’s a journey, and honestly, I don’t think it’s a journey with a destination, it is perpetual, it is the infinity sign.

With cyber I will just start by saying nothing is easy, but there are those – maybe somebody like myself, I’m a glutton for punishment – I guess I love a good challenge, I thrive on solving complex problems.

With cyber it oftentimes goes back to basic cyber hygiene. It is the not the sexy part of the job. It means you’ve got to patch your software, stay on top of your services, you’ve got to modernize constantly, look at how long you’ve had something in place, whether you have the latest capabilities, does your current solution that’s been around for maybe 10 years have security holes that are not able to be addressed but now can if we modernize the environment.

So it is about a constant rigor of managing your environment, making sure that it is hardened, it is patched, it is configured, and that access is constantly managed.

With zero trust, DOJ has been on this journey for quite some time. We’ve always been focused on knowing what assets we have in our inventory, the security posture of those assets, and who has access to our environment. In our mind, those are the some of the basic pillars of a zero trust construct. As you know, zero trust is about an architecture, it’s about a construct, so as we evolve, we have these basic pillars in place.

What DOJ is doing now is stepping up the game and figuring out how we can continue to enhance what we have and elevate our posture by getting more granular, more specific about tying the device the security posture of that device, with the person accessing the device, and what is that person authorized to access, and bringing that together.

And with that we are incorporating new solutions – we have recently incorporated a new endpoint detection and response (EDR) solution into our environment that allows us to see in near real time forensic data if we have suspicious or anomalous activity that we’ve detected.

I mentioned earlier about this identity and access program where we’re trying to have a way find a way to transform how we manage digital identities across the department. Particular to DOJ, we’re 40-plus offices big, and it’s not unusual for one person to be detailed to a second office or a third office then go back to the home office. How do I make sure that ultimately, I can tie the identify back to the same person and not end up with this person potentially creating multiple digital identities? So management is a key part of our focus.

ICAM and EDR are two key pillars I need to have make sure I have the right infrastructure to move forward on the zero trust approach. Then the third piece we want to do is leverage a zero trust broker model to truly be able to bring in this piece about the device, this piece about the identity, evaluate what policies have been set in place that’s implemented at the broker level, and essentially permit only what is permitted based on the notion of least privilege. That’s where we are.

MeriTalk: What’s the latest on pillar three of the strategy on improving service delivery?

Rogers: Service delivery, I think, is very much a learning experience for many IT professionals, and that’s not just specific to DOJ IT. It’s about taking an IT professional with their expertise in programming and coding and cybersecurity complexities and requiring them to put themselves in the user’s place and understanding that the user doesn’t want to know anything about the tech. The user just wants it to be smooth, seamless, and transparent.

In IT, we do our job well if the user just initiates something and clicks all the way through without even thinking about it. Just like cyber, if we are not making the headlines, we’ve done our job. Our objective should be quietly doing things effectively in the background, but that takes a whole lot of work and a whole lot of attention to detail. I look to examples like Apple and Tesla – they both provide incredibly smooth user experiences.

MeriTalk: Any examples from DOJ in recent times on a good user experience gain?

Rogers: One that comes to mind was during the COVID pandemic, the White House required all agencies to determine vaccination rates for employees. We were able to build an application very quickly leveraging an existing application that we already had in house and that was already propagated through most of our components. So that was something where we talked about embracing innovation. That application itself was not new, but we leveraged what we had, repackaged it, gave it a new skin, and created a new user experience.

We designed it in such a way that very quickly you accept the privacy notice, you put in a name and address, upload your proof of vaccination, and you’re done. We were able to do that in less than 30 days for our 120,000 employees. That’s getting the design smooth where they should be able to click through it without having to pause and ask who do I call or how do I do this, usually that’s where things completely fall apart.

That’s an example I’m personally very proud of, it took time, effort, and thoughtfulness about user experience. Then on the back-end, management can log on at any time and look at how we’re tracking with percentages of people completing the information, and who’s missing.

MeriTalk: The fourth pillar – workforce – that’s a tough nut for everyone to crack. How is DOJ looking at getting younger, more tech talented, more cyber talented?

Rogers: I think our approach with talent is no different than any other organization – you really want a blend of young people coming out of school and wanting to get some experience, that are eager to learn, and that you can help groom whether they end up staying with the agency or not.

And then you want to have certainly people that I would say are the mid-tier – those that have been around for a while or people that we bring in from the outside – with the experience to manage the new young college grads that you’re going to be bringing in. And of course, you have to have the executives that have the expansive view of management leadership and capability.

Workforce recruitment within the National Capital Region is just beyond tough. I know everyone says that because it’s a real problem, and it’s not even much different among contractors.

From our standpoint, we have been working with our human resources counterparts to evaluate what existing authorities we have that we maybe have not fully explored. Let’s make sure we tap into everything we possibly can, exhaust all options, and then we’re going to push through some more.

In terms of hiring authorities, we have direct hiring authorities for our information security specialists as well as cyber, and there are a couple of other categories like data scientists and procurement. This is where we are really doubling down and making sure that we use that authority that’s already been given to the individual agencies.

A second element of that is making sure that we have the right recruitment and retention incentives in place. I know there’s a lot of talk about different agencies seeking additional authorities from the Office of Personnel Management, but at DOJ, we do have existing authorities that apply to all the agencies, and we know that we have the ability to do recruitment and retention incentives. We are doubling down on figuring out how we structure a program where we can make those available for those that demonstrate either the extra capability or those that have achieved phenomenal results for the department.

I’m excited about moving forward with at least a pilot in the new fiscal year on leveraging the recruitment and retention incentives, which we desperately need.

In terms of the interesting nature of the agency’s mission, I feel very comfortable and confident about that. I love the Department of Justice’s work, it offers a huge variety, with lots of challenges, but interesting challenges, for any young person or somebody who’s even in the middle of their career to come in. They’re going to gain some really invaluable experiences and that’s going to only increase their value and worth if they ever want to go back out in private industry.

MeriTalk: And then tell us a little bit about the goal of financial transparency, which is not usually on agency top-five lists.

Rogers: It’s about what IT costs, and how to be transparent about that.

Because IT is so pervasive, and so embedded in everything we do, the fact is that IT staff needs to be much bigger for everybody. I think that’s something that’s almost like a rude awakening, and a need for acceptance by organizational leadership everywhere – you need a big enough IT staff and big enough cybersecurity staff to support the IT that needs to run 24 by 7. To think that we’re going to be 24 by 7, fast and efficient without the growth in workforce is not realistic. I think that’s an awakening moment – you’ve got to staff up the IT people.

And key people need not just to know how to program and know the widgets, but they need to have the financial acumen that goes along with management.

A lot of my operating dollars are monies collected from our component offices. I have a fiduciary responsibility to show them how I’m spending their dollars on funding these infrastructure services and I have an obligation to make sure I provide really good service back to them for their investment into the department. That’s where the financial transparency comes in. It’s not just I’m going to tax the component because I’m the department and I get to do that, but I’m going to tax them and I’m going to show them how I’m investing in these various capabilities – whether it’s IT or people.

When I have procurements in place, I invite component IT representatives to sit on those evaluation panels with me, and when I recruit for executives, I invite those in the components to sit at the table with me because we are partners in this. I want them to have buy-in on how I’m operating with their dollars in my service for them.

It’s about how do we show transparency, and how we’re spending the money. That transparency could also bring, for example, discussions on do we need all 10 services we have, or now that we have these two or three new things maybe we can retire these two other solutions.

MeriTalk: Sounds like a good application of something like Technology Business Management (TBM) practices.

Rogers: That’s spot on, I didn’t mention TBM by name, but that’s exactly how we’re trying to show the categories of spend for the department. We can show how much total service costs, and then how we are going to allocate it. It’s a constant discussion.

MeriTalk: Final question – the IT Strategic Plan runs from 2022 to 2024, and we’re in the middle of that span now, maybe halfway through. How do you rate progress so far on the goals?

Rogers: I’m very proud of the focus that we’ve put on service delivery and the consumer experience – talk about being on a journey – that’s a journey! We’re constantly being mindful of even the simple service desk experience as somebody calls, I want everybody to be treated the same way with a quick response with a good customer experience – it has to be that way. That’s one area where we have doubled down.

On cybersecurity, I’m very proud of the program that we have. We have taken a strong program and we’re just continuing to enhance it.

With embracing innovation, this is one area where I think there’s plenty of talk out there on artificial intelligence and machine learning, but at the end of the day we’ve got to start somewhere and actually somewhere starts with the human and how the learning kicks in. There’s a lot of tuning and critical thinking and analysis that needs to take place, for which we need the workforce augmentation support.

Cookie	Duration	Description
AWSALBCORS	7 days	Amazon Web Services set this cookie for load balancing.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	CookieYes sets this cookie to record the default button state of the corresponding category and the status of CCPA. It works only in coordination with the primary cookie.
JSESSIONID	session	New Relic uses this cookie to store a session identifier so that New Relic can monitor session counts for an application.
PHPSESSID	session	This cookie is native to PHP applications. The cookie stores and identifies a user's unique session ID to manage user sessions on the website. The cookie is a session cookie and will be deleted when all the browser windows are closed.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
_pxhd	1 year	PerimeterX sets this cookie for server-side bot detection, which helps identify malicious bots on the site.

Cookie	Duration	Description
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
li_gc	5 months 27 days	Linkedin set this cookie for storing visitor's consent regarding using cookies for non-essential purposes.
UserMatchHistory	1 month	LinkedIn sets this cookie for LinkedIn Ads ID syncing.
__cf_bm	30 minutes	Cloudflare set the cookie to support Cloudflare Bot Management.

Cookie	Duration	Description
AWSALB	7 days	AWSALB is an application load balancer cookie set by Amazon Web Services to map the session to the target.
_gat	1 minute	Google Universal Analytics sets this cookie to restrain request rate and thus limit data collection on high-traffic sites.

Cookie	Duration	Description
AnalyticsSyncHistory	1 month	Linkedin set this cookie to store information about the time a sync took place with the lms_analytics cookie.
CONSENT	2 years	YouTube sets this cookie via embedded YouTube videos and registers anonymous statistical data.
ln_or	1 day	Linkedin sets this cookie to registers statistical data on users' behaviour on the website for internal analytics.
pardot	past	The pardot cookie is set while the visitor is logged in as a Pardot user. The cookie indicates an active session and is not used for tracking.
UID	1 year 1 month 4 days	Scorecard Research sets this cookie for browser behaviour research.
vuid	1 year 1 month 4 days	Vimeo installs this cookie to collect tracking information by setting a unique ID to embed videos on the website.
_ga	1 year 1 month 4 days	Google Analytics sets this cookie to calculate visitor, session and campaign data and track site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognise unique visitors.
_ga_*	1 year 1 month 4 days	Google Analytics sets this cookie to store and count page views.
_gcl_au	3 months	Google Tag Manager sets the cookie to experiment advertisement efficiency of websites using their services.
_gid	1 day	Google Analytics sets this cookie to store information on how visitors use a website while also creating an analytics report of the website's performance. Some of the collected data includes the number of visitors, their source, and the pages they visit anonymously.
__gads	1 year 24 days	Google sets this cookie under the DoubleClick domain, tracks the number of times users see an advert, measures the campaign's success, and calculates its revenue. This cookie can only be read from the domain they are currently on and will not track any data while they are browsing other sites.

Cookie	Duration	Description
anj	3 months	AppNexus sets the anj cookie that contains data stating whether a cookie ID is synced with partners.
bcookie	1 year	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser IDs.
bscookie	1 year	LinkedIn sets this cookie to store performed actions on the website.
GoogleAdServingTest	session	Google sets this cookie to determine what ads have been shown to the website visitor.
IDE	1 year 24 days	Google DoubleClick IDE cookies store information about how the user uses the website to present them with relevant ads according to the user profile.
li_sugr	3 months	LinkedIn sets this cookie to collect user behaviour data to optimise the website and make advertisements on the website more relevant.
muc_ads	1 year 1 month 4 days	Twitter sets this cookie to collect user behaviour and interaction data to optimize the website.
personalization_id	1 year 1 month 4 days	Twitter sets this cookie to integrate and share features for social media and also store information about how the user uses the website, for tracking and targeting.
test_cookie	15 minutes	doubleclick.net sets this cookie to determine if the user's browser supports cookies.
uuid2	3 months	The uuid2 cookie is set by AppNexus and records information that helps differentiate between devices and browsers. This information is used to pick out ads delivered by the platform and assess the ad performance and its attribute payment.
VISITOR_INFO1_LIVE	5 months 27 days	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
_mkto_trk	1 year 1 month 4 days	This cookie, provided by Marketo, has information (such as a unique user ID) that is used to track the user's site usage. The cookies set by Marketo are readable only by Marketo.
__gpi	1 year 24 days	Google Ads Service uses this cookie to collect information about from multiple websites for retargeting ads.