Bringing critical homeland security IT systems and the staff who will use them up to speed is happening with requisite urgency, prioritization and innovation, the Department of Homeland Security’s CIO and two component tech leaders told senators Wednesday at a hearing examining the modernization of legacy technology.
“Our subcommittee continues to encourage agencies to adopt modern systems that are more efficient, more cost effective and, frequently, more capable,” Senate Homeland Security and Governmental Affairs Emerging Threats and Spending Oversight Subcommittee Chairwoman Maggie Hassan (D-N.H.) said.
“If an aging system that DHS uses to vet passengers or visitors traveling into or through the United States goes offline there’s a chance that a dangerous person could enter our country,” she said. “In such cases, workarounds can help limit national security risks but they can also cause commercial delays or miss real-time intelligence.”
The Government Accountability Office and the DHS Inspector General both have assessed DHS IT modernization efforts and in doing so, Hassan noted, “have raised concerns about its reliance on outdated IT systems that perform mission-critical operations.”
“They have looked at DHS IT systems that ensure the security of air travel support, disaster mitigation and preparedness activities, and enhance border security and they have asserted that the failure of any of these systems would have a significant impact on public safety and national security,” she added. “That’s why it is crucial that DHS modernize these systems.”
Ranking Member Mitt Romney (R-Utah) stressed that “the vulnerability of our systems has obviously changed in dramatic ways with the advent of AI.”
“I think we all recognize that intrusion into government systems is a risk – it’s being and has been carried out a number of times by the Chinese or by their cohorts and by Russians and we need to take special care to protect the information provided by the American people,” Romney said.
Department of Homeland Security Chief Information Officer Eric Hysen agreed that “modernizing our legacy IT systems is essential to improving the experience of those that rely on our department for critical services and of strengthening our ability to carry out our vital homeland security missions.”
“Modernization further offers opportunities to strengthen our cybersecurity posture and reduce spending,” he added.
With the understanding that “single ‘Big Bang’ releases of new systems lead to massively increased risk,” DHS rejects this approach “in favor of a more incremental, iterative and measured strategy based on private-sector best practices that enable us to successfully modernize key services and retire costly legacy systems,” Hysen said.
“Our newly initiated modernization programs focus on defining a minimum viable product initial functionality that can be launched within months, not years. From there, we follow an agile software development methodology that gathers requirements, builds tests, and launches software in rapid iterative cycles,” he said. “Modernized systems are deployed and implemented in parallel to the old legacy ones to buy down risk over time. For our existing modernization programs started under the old model, we are focused on transitioning as much of the work to the new approach as possible. A critical element of this approach is that government, not any one vendor, must serve as the integrator ultimately responsible for successful delivery of an IT system. We depend on our industry partnerships but require strong technical expertise in federal service to oversee contracts and ensure results.”
Hysen, who spent time as a software engineer and program manager at Google prior to entering government, told lawmakers that he is “focused on strengthening our IT workforce to enable this both by bringing in talent from the private sector and creating new opportunities for our workforce to develop and gain new skills.”
DHS announced last week that the department reached its target of eliminating 20 million of the 190 million hours of administrative burden placed on the public each year “through modernizing our IT systems and simplifying our services.”
“We still have much work to do but I am proud of the work done by my colleagues here today and the entire DHS IT community to deliver modernized secure, effective and usable systems to support our department’s critical missions,” Hysen added.
Federal Emergency Management Agency Chief Information Officer Charles Armstrong told senators that the agency “is utilizing an actual development and delivering small segments and providing an opportunity for customers to interact with systems in a rapid fashion.”
“This approach allows our developers to receive real-time feedback from customers on their experience,” Armstrong said. “FEMA requires continuous modernization to maintain mission readiness. The overarching goal is to modernize and streamline processes through the consolidation of systems and platforms. As the Stafford Act-related disasters increase, our system must be able to scale to support the magnitude of the disaster.”
“FEMA is consolidating eight disparate legacy systems into the FEMA grants outcome system better known as FEMA Go,” he said. “The new IT platform is targeted toward the entire grants community of users including FEMA personnel, the grants recipient, the sub recipients, across state and local governments, tribal and territorial partners. FEMA through FEMA Go has migrated five programs to the new system in fiscal years 2018 through 2022 and is onboarding an 14 additional grant programs in fiscal year 2023. The plan is to onboard approximately 20 additional grant programs by April of 2024 and decommission the old systems by 2025.”
Transportation Security Administration Chief Information Officer Yemi Oshinnaiye said he is “proud of how TSA is approaching modernization to ensure our infrastructure systems and IT solutions remain resilient and effective,” as the agency is responsible for the security of more than 430 federalized airports and routinely screens more than two million passengers, 5 million carry-on bags, and 1.4 million pieces of checked luggage daily for explosives and other prohibited items.
“Our strategy for modernization at TSA is aligned with the DHS overall approach,” Oshinnaiye said. “Our focus is on leveraging human-centered design, a problem-solving technique we use to engage our customers. This technique allows us to leverage user experience and incorporate this feedback into our overall modernization strategy. When we operate this way, we provide a better opportunity for the user community to influence the final product, which improves the final product. TSA’s IT modernization strategy enables the agency to use outsource critical portions of the modernization to industry partners such as cloud vendors who invest heavily in modern services and infrastructure. Leveraging this investment empowers TSA to focus more of our talent and resources on process improvement and strategies for continued mission success.”
A “great example” of this is the Performance and Results Information System known as PARIS, he noted, which manages compliance and inspection activities. “We recently successfully migrated to the cloud platform, which enabled us to grow, scale and provide robust analytics for TSA compliance activities,” Oshinnaiye continued. “Another example is the Mission Scheduling Notification System otherwise known as MSNS. This system schedules federal air marshals to protect in-flight travel. MSNS is a collection of systems with integration to many other systems but currently includes a lot of extensive manual processing. We prototyped a modern process using cloud platforms with an intuitive design in a matter of months using agile that alleviates manual processing. Our solution delivers rapidly over time by taking an iterative approach.”
“These two examples show how TSA IT delivers effective technology to the mission and the strategy to sustain its capability,” he said.
Kevin Walsh, director of Information Technology and Cybersecurity at the Government Accountability Office, said of legacy systems, “Just because they’re old doesn’t mean they’re at risk or in need of retirement.”
“The systems to focus on are those that we would flag as legacy IT systems that are outdated or obsolete that may have heightened security risks or aren’t meeting mission needs,” Walsh testified. “Worryingly, the department’s efforts to modernize such systems have a history of costing more than planned and taking longer than promised.”
Walsh noted that biometric identity management services handling fingerprinting and facial recognition “are outdated and the replacement project is years behind schedule,” and the system the department uses “to award billions in grants to prepare and respond to disasters is also outdated and the replacement project is also years behind.”
“While all is not quite right in the Land of Oz, DHS has been taking promising steps to address these issues,” Walsh said. “For example, they’ve halted or suspended projects that are going poorly, they’ve addressed our recommendations at a better-than-average rate, documented lessons learned and used modern development technologies like agile and incremental. They’ve also been working diligently to address our associated high-risk area on IT and financial management functions.”
Going forward, he said, “DHS needs to continue addressing its legacy systems by cataloging those systems, identifying what’s not performing and prioritizing the work ahead.”
“They should also make sure to turn off the old systems,” Walsh added. “It’s worth noting that just this should not be a one-time effort – it should be part of every agency’s portfolio management to consider what IT isn’t doing well. Ideally, we should also be forecasting when this will occur so that the government’s responses are proactive instead of reactive.”
He also alerted lawmakers that “modernization may not be a cost-saving endeavor – what we do get are newer systems that are more efficient, better functionality and stronger security.”
“Different agencies have different ideas about what makes an IT system mission-critical so, Mr. Hysen, how does DHS currently prioritize which systems to modernize?” Hassan asked.
“As we look at establishing modernization priorities we are looking to those that fit into three categories: those that present significant cybersecurity risk, those that present opportunities to improve the experience the public has interacting with DHS services, and those that present opportunities to improve how our employees do their job every day and enable them to do that more effectively,” Hysen replied. “On the cyber front, one tool that we have developed to aid us in this is a unified cybersecurity maturity model that evaluates all of our IT systems across the department on a number of different cyber axes and enables us to best identify areas of risk to prioritize our modernization efforts.”
Walsh said that GAO’s test “first looks at whether the functions of a given system are unique to the agency – if it’s unique then any sort of damage or disruption, what kind of impact it would have to the mission of that agency?”
“I believe we look at very similar criteria across our planning efforts,” Hysen said. “I think it’s a really important area to focus on and really try to make sure that that is in fact how the agency is approaching it.”
Hassan asked Oshinnaiye, “What would happen if the secure flight system were to go offline, fail or be even partially inaccessible?”
“The system has been in existence for a while but calling it a legacy system wouldn’t be the same as a mainframe,” Oshinnaiye replied. “That system is constantly updated and if that system would go offline we do have an offline policy or process where we can operate for a certain amount of time.”
Along with Science and Technology Under Secretary Dimitri Kusnezov, Hysen co-chairs the DHS Artificial Intelligence Task Force established by Secretary Alejandro Mayorkas in April. Asked by Romney about “the impact of AI on your respective responsibilities” and what agencies must “do to protect the most critical information that we have from attack from malign interests that would seek to undermine our national security or our personal privacy,” Hysen noted that “AI presents a significant opportunity in modernizing our systems as well as better harnessing AI to advance our mission delivery.”
“But the risk of adversarial use of AI is real as is the risk of disparate bias or unintended disparate impact from our use of AI,” he added. The DHS task force “is looking at exactly those questions – we are still early in our work but are taking this work very seriously and have it as a major focus for the year to come.”
“What are you doing to prepare the workforce that is going to live in both of these worlds and needs to for a little bit longer?” asked Sen. Jacky Rosen (D-Nev.).
“We’re focused on training across the board,” Hysen said. “One of the areas that I and my fellow CIOs at DHS have identified as a priority is standing up a department-wide IT Academy that will include standardized training for all new IT hires into the department as well as ongoing development opportunities for our employees to develop new skills, whether that be in AI and data science, customer experience, agile development or the like. The IT workforce at DHS is a tremendous asset – we have 5,000 talented and committed professionals – and so while we’re also looking to bring in more talent from the private sector, we have opportunities and are focused on enabling our existing workforce to grow and continue to increase their impact.”
“What we’ve done at TSA in addition to what my colleagues mentioned is kind of reducing the fear of getting your hands dirty,” Oshinnaiye said. “Myself and my deputy are also former developers so we allow folks to come in and use their technology… we actually had a staff member build a system themselves in the last 30 days we’re actually using internally, so once you reduce that fear factor and let everyone learn and then fall forward we’re able to build out what I call the IT IQ. We even have in our airports innovation cells which allow folks in the airports to come up with ideas and build on platforms. And the more you let folks work and use it the smarter they become.”
Hysen said that DHS is “currently finalizing our updated IT strategic plan for the department.”
“Our current plan expires at the end of this fiscal year and we’ll be releasing the new one prior to its expiration that will identify our overall modernization priorities,” he said. “But ultimately in government the truest sign of your priorities is where you align your budget, and so I’ve been focused along with our acting CFO on strengthening the IT oversight of our budget request over the last three years. We have progressively increased IT involvement in the annual budgeting process under the spirit of FITARA such that now as we’re preparing our ’25 budget request every IT investment proposal by any part of the department is evaluated against the IT modernization priorities that I have set out for the department. And then we are ensuring that my component CIOs and then, ultimately, I have full review and approval over the IT budget request. So, ultimately, I believe that our budget request becomes the modernization plan as that is where we intend to align our resources.”
“We actually follow in tandem with the department,” Oshinnaiye added. “Some of the components we’re also building out in our strategic plan as well and working to align with the department. Some of the things that we’ve adopted in addition to technology advancement is technology and context, making sure that when we put new technology out that it actually aligns to the mission. And so part of saving money on the missions, making sure we put the right technology out so people can use it and we’re not iteratively trying to change technology because it doesn’t adapt to what the user needs.”
“So we use that and we work with the department and all of our upgrades and our processes so that we’re in alignment not only with the department but with other components,” he said. “And then we find an opportunity to share technology.”