November 19th marked the 15-year anniversary of the Transportation Security Administration (TSA), the first agency charged with securing the Nation’s transportation systems from terrorist attacks. Today TSA operates in more than 450 airports and, along with our industry partners; we also safeguard the four general modes of land-based transportation: mass transit, freight rail, highway motor carrier, and pipeline.
The 70,000 brave, dedicated men and women who serve our mission depend on IT products and services to gather intelligence, share information, and provide security for passengers and cargo. As the terrorism threat to our country evolves, the demands of our mission require us to deliver IT faster and cheaper, which is easier said than done. Government agencies are often unable to modernize technology due to constrained resources and complicated requirements and acquisition processes, creating a self-perpetuating cycle of trying to keep pace with the most current technology. According to Federal CIO Tony Scott, of the $82 billion in Federal IT spending planned for 2017, approximately 78 percent ($63 billion) is dedicated to maintaining legacy IT investments, mostly aging systems and fixed infrastructure that is growing more expensive to operate and more challenging to defend against modern cyber security risks. Volumes of legacy policies and processes also make it challenging to implement promising ideas and innovation.
TSA is addressing these challenges, in part, by changing our IT business model from an asset-based culture to a services-based, customer-centric delivery model. We are looking at ways to leverage cloud computing technologies to more quickly and efficiently meet the IT needs of the Agency, all while driving down costs. There is a popular saying that the cloud is simply “someone else’s computer”. But it can be much more than that. With cloud, TSA can not only minimize recapitalization requirements, we can manage the delivery and security of our infrastructure with unprecedented speed and agility.
One of the biggest challenges we face is managing cloud disruption, both to operating procedures and “company” culture. For IT staff who are used to configuring and provisioning IT equipment in a traditional way, adopting a cloud model can be stressful, to say the least. Some agencies try to identify all requirements at the outset, even before building a basis of expertise or gaining hands-on experience. At TSA, we approached the problem differently, first by partnering with the General Services Administration and their digital services office, 18F, then by introducing cloud activities and principles through an agile, collaborative, iterative approach.
This scaled approach ensured that we didn’t bite off more than we could chew. Our first goal was simple: we asked our employees to move two applications to the cloud, but more importantly, to learn, to document lessons learned, and to prepare the organization for a larger cloud migration. Traditionally, our organization employed a waterfall development method where workflow was characterized by a series of sequential events and handoffs between development, engineering, security, and operations. That’s not very agile, and the lack of integrated teamwork can result in frustrating roadblocks that impede progress, particularly for the development of systems and services that cloud computing enables.
The first thing we needed to do was change our culture, which requires effective organization change management, and lots of training. We created a Cloud Team that included representatives from each division in our organization, and we told employees that the only three possible failures were: not to try, not to learn, and not to manage risk appropriately. We established an agile room, where architects, engineers, developers and security professionals work side-by-side in true DevSecOps fashion, and in doing so, we established an open, collaborative, transparent method of working together, focused on delivering value to the end-user.
We then focused on providing the technical training necessary to ensure the success of TSA’s cloud adoption efforts. In addition to 18F, we brought in outside counsel to conduct targeted training sessions, as well as “on-the-job training,” so we can truly employ agile methods, not just treat them as buzzwords or checkboxes. We leveraged hands-on learning to build a skills matrix and training plan to support staff in developing and maturing new talents, and we are incorporating these modern methods into employee performance plans to reward and incentivize the adoption of agile methodologies.
As we create this culture, we are also focusing on how to quickly pilot new capabilities. By breaking down historical silos to build a better understanding of how everyone contributes to the mission, we are better-positioned to expand our focus into new areas, such as using “big data” and Artificial Intelligence technologies to create new capabilities for enabling our mission.
New avenues for restructuring of technology have emerged in the past 15 years, and current demands necessitate a new model and an expansion of IT service. In effect, the new risk is in moving too slowly, either enabling those who might wish us harm to gain a foothold, or in failing to meet the new pace and demands of the mission. We know that at TSA we have a unique obligation to leverage technology to protect the Nation. We must balance the need to maintain a stable infrastructure for national security with the priority of providing an agile, innovative platform for our customers. And our workforce needs time to adapt to the new model. They need a chance to learn and to develop better policies and practices in an ever-evolving technology landscape. Meanwhile, we will continue to maximize the value of our IT spending while encouraging experimentation and innovation. As the TSA cornerstone states, we are an agency “built of innovation, patriotism and steady virtue,” and our workforce is dedicated to facing all challenges as we secure our nation’s transportation systems.