With the Justice Department’s (DOJ) IT operations at the midpoint of executing a three-year IT strategic plan, we asked agency CIO Melinda Rogers a few weeks back for a run-down on progress with the plan so far, some of the advancements still in progress, and how the five pillars of the strategic plan are making a difference for the operations of DOJ and its 40 or so agency components.
Rogers – who knows DOJ’s IT operations like few others after three years as CIO and eight as the agency’s chief information security officer – responds with a detailed evaluation of steps the agency is taking to meet the strategic plan’s goals across a range of crucial fronts including service delivery, cybersecurity, workforce, and more.
The following Q&A – edited for length – captures the CIO squarely in her element of both strengthening the far-flung agency’s technology base and security, while at the same time making way for innovation across all of the components that the IT organization supports.
MeriTalk: Melinda, you are overseeing the execution of an ambitious 2022-2024 IT Strategic Plan, with pillars of innovation, cyber, service delivery, workforce, and financial transparency. Before we catch up with those though, you are CIO of a highly federated agency with dozens of components, can you give us some thoughts about how you approach that, and how the IT intensity has grown at the agency?
Rogers: The technology mission at DOJ has evolved as we continue to grow and adopt and incorporate more and more IT in what we do day in and day out. When I started in this job 13 years ago, IT was a thing, but nobody expected it to be where it is today – to be so ubiquitous and to be so ingrained in everything we do.
As the department CIO, I have the responsibility to look at the overall IT investments across the entire organization. This ties into one of the pillars in my strategic plan for the Department of Justice – how are we spending on information technology, are we getting everything we can out of our expenditures, and are we leveraging IT to achieve better efficiency to help our mission operators be more effective? That’s one of my primary responsibilities.
A second element of my primary responsibility is of course cybersecurity. I started my career in the cyber space within DOJ and became its CISO, and then then CIO. So cyber still remains near and dear to my heart. I am a big believer that we can enable mission operations and achieve that smooth customer experience while maintaining a cyber-secure posture. It should not be a trade-off, they all need to happen.
MeriTalk: We tend to look at DOJ as one big agency, but it’s really a great big group of components. What’s that number up to these days?
Rogers: DOJ has about 43 or so components. On any given day, small ones might get stood up, others might get decommissioned, but probably about 40 or so component offices. About 20 or so are large enough to have their own IT director or component CIO. We have to work together on ultimately achieving success for the entire department.
What I mean by that is there are certain services that I as the department CIO am responsible – infrastructure layer, collaboration suites, commodity-type services, and telecommunications – those are all the foundational structures that we need to have in place for the entire department to operate and interoperate.
But the reality is our missions are so different. It runs the full lifecycle of law enforcement from investigations on the law enforcement side, prosecution by U.S. Attorneys, to incarceration through the Bureau of Prisons (BOP), and then through parole with the U.S. Parole Commission. It’s a full lifecycle with very different needs and different operations.
So it’s about how do we come together, leverage things where we can on a standardized form that saves headaches for everybody, but ultimately enable component offices with very specific mission needs to do what they need to do comply with the cybersecurity requirements of the department, and align with the department’s IT standards, but still have flexibility to fulfill their specific operational needs and necessities.
MeriTalk: So, there’s some differentiation at the component level, but some uniformity of services coming from the top of the organization?
Rogers: Exactly. We are looking to create as much standardization as possible, because the IT world is complex enough as it is. And then wherever the dividing line makes sense for the components to pursue their own mission needs without undermining the department cybersecurity program and our attempt at standardization, then it’s really creativity and flexibility to fulfill operational needs. That’s really how I and the component CIOs all approach doing business together.
MeriTalk: That sheds a lot of very helpful light. Let me ask you a bit about the five pillars of the IT Strategic Plan – the first of which is embracing innovation.
Rogers: You could go in so many different directions with that. What I mean is it’s not just about adopting the shiniest new object, but it’s about changing how you do things, changing the processes.
On the component level, they probably have more of an opportunity to pursue something that’s new and upcoming for their specific mission applications because it’s quantifiable in scope and size and something that you could quickly spin up and maybe fail quickly at the local office level. Because we do things for the entire department, the inability to afford a failure is something that becomes a governing factor for us in terms of the speed at which we move forward.
In broader terms of embracing innovation, I’ll give you an example. We do have one component – U.S. Attorneys – they have been the market leader in incorporating an identity verification solution as part of their overarching identity management program. They are well ahead of the department in terms of defining the governance structure, the processes, and identifying the right tool sets or combination of tool sets to enable a smooth customer experience. In that instance, this is where a component office has led the way in the effort in the department as part of our zero trust strategy.
We’re trying to standardize how we go about managing our identity information, the digital identity of all of our employees and contractors. This is where I would say probably it’s a different path from what previously was done at the department. This is where we’re leveraging experiences from U.S. Attorneys in their combination of solutions, looking at different IT capabilities and working closely with them to determine how do we leverage the investments that they’ve made that we could adopt at the department level and then propagate out to the rest of the department.
So it’s really sort of bringing in the best ideas that we see at the component level to push out and share with each other.
MeriTalk: And that runs straight into the cyber pillar – and the zero trust component – of the 2022-2024 IT Strategic Plan.
Rogers: I know it’s been overused, but it’s a journey, and honestly, I don’t think it’s a journey with a destination, it is perpetual, it is the infinity sign.
With cyber I will just start by saying nothing is easy, but there are those – maybe somebody like myself, I’m a glutton for punishment – I guess I love a good challenge, I thrive on solving complex problems.
With cyber it oftentimes goes back to basic cyber hygiene. It is the not the sexy part of the job. It means you’ve got to patch your software, stay on top of your services, you’ve got to modernize constantly, look at how long you’ve had something in place, whether you have the latest capabilities, does your current solution that’s been around for maybe 10 years have security holes that are not able to be addressed but now can if we modernize the environment.
So it is about a constant rigor of managing your environment, making sure that it is hardened, it is patched, it is configured, and that access is constantly managed.
With zero trust, DOJ has been on this journey for quite some time. We’ve always been focused on knowing what assets we have in our inventory, the security posture of those assets, and who has access to our environment. In our mind, those are the some of the basic pillars of a zero trust construct. As you know, zero trust is about an architecture, it’s about a construct, so as we evolve, we have these basic pillars in place.
What DOJ is doing now is stepping up the game and figuring out how we can continue to enhance what we have and elevate our posture by getting more granular, more specific about tying the device the security posture of that device, with the person accessing the device, and what is that person authorized to access, and bringing that together.
And with that we are incorporating new solutions – we have recently incorporated a new endpoint detection and response (EDR) solution into our environment that allows us to see in near real time forensic data if we have suspicious or anomalous activity that we’ve detected.
I mentioned earlier about this identity and access program where we’re trying to have a way find a way to transform how we manage digital identities across the department. Particular to DOJ, we’re 40-plus offices big, and it’s not unusual for one person to be detailed to a second office or a third office then go back to the home office. How do I make sure that ultimately, I can tie the identify back to the same person and not end up with this person potentially creating multiple digital identities? So management is a key part of our focus.
ICAM and EDR are two key pillars I need to have make sure I have the right infrastructure to move forward on the zero trust approach. Then the third piece we want to do is leverage a zero trust broker model to truly be able to bring in this piece about the device, this piece about the identity, evaluate what policies have been set in place that’s implemented at the broker level, and essentially permit only what is permitted based on the notion of least privilege. That’s where we are.
MeriTalk: What’s the latest on pillar three of the strategy on improving service delivery?
Rogers: Service delivery, I think, is very much a learning experience for many IT professionals, and that’s not just specific to DOJ IT. It’s about taking an IT professional with their expertise in programming and coding and cybersecurity complexities and requiring them to put themselves in the user’s place and understanding that the user doesn’t want to know anything about the tech. The user just wants it to be smooth, seamless, and transparent.
In IT, we do our job well if the user just initiates something and clicks all the way through without even thinking about it. Just like cyber, if we are not making the headlines, we’ve done our job. Our objective should be quietly doing things effectively in the background, but that takes a whole lot of work and a whole lot of attention to detail. I look to examples like Apple and Tesla – they both provide incredibly smooth user experiences.
MeriTalk: Any examples from DOJ in recent times on a good user experience gain?
Rogers: One that comes to mind was during the COVID pandemic, the White House required all agencies to determine vaccination rates for employees. We were able to build an application very quickly leveraging an existing application that we already had in house and that was already propagated through most of our components. So that was something where we talked about embracing innovation. That application itself was not new, but we leveraged what we had, repackaged it, gave it a new skin, and created a new user experience.
We designed it in such a way that very quickly you accept the privacy notice, you put in a name and address, upload your proof of vaccination, and you’re done. We were able to do that in less than 30 days for our 120,000 employees. That’s getting the design smooth where they should be able to click through it without having to pause and ask who do I call or how do I do this, usually that’s where things completely fall apart.
That’s an example I’m personally very proud of, it took time, effort, and thoughtfulness about user experience. Then on the back-end, management can log on at any time and look at how we’re tracking with percentages of people completing the information, and who’s missing.
MeriTalk: The fourth pillar – workforce – that’s a tough nut for everyone to crack. How is DOJ looking at getting younger, more tech talented, more cyber talented?
Rogers: I think our approach with talent is no different than any other organization – you really want a blend of young people coming out of school and wanting to get some experience, that are eager to learn, and that you can help groom whether they end up staying with the agency or not.
And then you want to have certainly people that I would say are the mid-tier – those that have been around for a while or people that we bring in from the outside – with the experience to manage the new young college grads that you’re going to be bringing in. And of course, you have to have the executives that have the expansive view of management leadership and capability.
Workforce recruitment within the National Capital Region is just beyond tough. I know everyone says that because it’s a real problem, and it’s not even much different among contractors.
From our standpoint, we have been working with our human resources counterparts to evaluate what existing authorities we have that we maybe have not fully explored. Let’s make sure we tap into everything we possibly can, exhaust all options, and then we’re going to push through some more.
In terms of hiring authorities, we have direct hiring authorities for our information security specialists as well as cyber, and there are a couple of other categories like data scientists and procurement. This is where we are really doubling down and making sure that we use that authority that’s already been given to the individual agencies.
A second element of that is making sure that we have the right recruitment and retention incentives in place. I know there’s a lot of talk about different agencies seeking additional authorities from the Office of Personnel Management, but at DOJ, we do have existing authorities that apply to all the agencies, and we know that we have the ability to do recruitment and retention incentives. We are doubling down on figuring out how we structure a program where we can make those available for those that demonstrate either the extra capability or those that have achieved phenomenal results for the department.
I’m excited about moving forward with at least a pilot in the new fiscal year on leveraging the recruitment and retention incentives, which we desperately need.
In terms of the interesting nature of the agency’s mission, I feel very comfortable and confident about that. I love the Department of Justice’s work, it offers a huge variety, with lots of challenges, but interesting challenges, for any young person or somebody who’s even in the middle of their career to come in. They’re going to gain some really invaluable experiences and that’s going to only increase their value and worth if they ever want to go back out in private industry.
MeriTalk: And then tell us a little bit about the goal of financial transparency, which is not usually on agency top-five lists.
Rogers: It’s about what IT costs, and how to be transparent about that.
Because IT is so pervasive, and so embedded in everything we do, the fact is that IT staff needs to be much bigger for everybody. I think that’s something that’s almost like a rude awakening, and a need for acceptance by organizational leadership everywhere – you need a big enough IT staff and big enough cybersecurity staff to support the IT that needs to run 24 by 7. To think that we’re going to be 24 by 7, fast and efficient without the growth in workforce is not realistic. I think that’s an awakening moment – you’ve got to staff up the IT people.
And key people need not just to know how to program and know the widgets, but they need to have the financial acumen that goes along with management.
A lot of my operating dollars are monies collected from our component offices. I have a fiduciary responsibility to show them how I’m spending their dollars on funding these infrastructure services and I have an obligation to make sure I provide really good service back to them for their investment into the department. That’s where the financial transparency comes in. It’s not just I’m going to tax the component because I’m the department and I get to do that, but I’m going to tax them and I’m going to show them how I’m investing in these various capabilities – whether it’s IT or people.
When I have procurements in place, I invite component IT representatives to sit on those evaluation panels with me, and when I recruit for executives, I invite those in the components to sit at the table with me because we are partners in this. I want them to have buy-in on how I’m operating with their dollars in my service for them.
It’s about how do we show transparency, and how we’re spending the money. That transparency could also bring, for example, discussions on do we need all 10 services we have, or now that we have these two or three new things maybe we can retire these two other solutions.
MeriTalk: Sounds like a good application of something like Technology Business Management (TBM) practices.
Rogers: That’s spot on, I didn’t mention TBM by name, but that’s exactly how we’re trying to show the categories of spend for the department. We can show how much total service costs, and then how we are going to allocate it. It’s a constant discussion.
MeriTalk: Final question – the IT Strategic Plan runs from 2022 to 2024, and we’re in the middle of that span now, maybe halfway through. How do you rate progress so far on the goals?
Rogers: I’m very proud of the focus that we’ve put on service delivery and the consumer experience – talk about being on a journey – that’s a journey! We’re constantly being mindful of even the simple service desk experience as somebody calls, I want everybody to be treated the same way with a quick response with a good customer experience – it has to be that way. That’s one area where we have doubled down.
On cybersecurity, I’m very proud of the program that we have. We have taken a strong program and we’re just continuing to enhance it.
With embracing innovation, this is one area where I think there’s plenty of talk out there on artificial intelligence and machine learning, but at the end of the day we’ve got to start somewhere and actually somewhere starts with the human and how the learning kicks in. There’s a lot of tuning and critical thinking and analysis that needs to take place, for which we need the workforce augmentation support.