Reducing Complexity in Government IT

I’ve now been serving at VA for over two and a half years. I’ve held this role long enough to think that I may understand how this place runs and where our opportunities for improvement lie. So, what have I learned?

First, VA is one of the best places — if not the best — to be in federal IT. It has an incredibly inspiring mission, and it has great people committed to service. This comes through in the annual GSA/OMB IT Customer Satisfaction Survey, in which OIT recently ranked first among its peer group for IT Function for the fourth consecutive year — no small feat. While we face a lot of challenges, we should all be proud of our record and our mission: serving those who served us.

Second, VA is an extraordinarily complex organization, both in terms of its mission and its operations.

Think about it: we’re the single largest integrated health care provider in the country, supporting over 9 million Veterans. Moreover, each day the Department faces complex and diverse tasks which include delivering disability compensation to 5.8 million Veterans, administering 5.5 million insurance policies, and serving 4 million home loan participants. To do this, we operate more than 3,000 sites and facilities, which include 132 large hospitals, 2.7 million pieces of equipment, over 1,000 IT systems, and 600,000 end users. These IT systems vary in their modernity, ranging from scalable cloud-resident systems to mainframe systems running on COBOL.

This complexity can be both energizing and, I’ll admit it, daunting at times.

Daunting, because on top of it all, we face constant fiscal pressure, compelling us to do more with less.

Energizing, because there are so many areas where we have the opportunity to add value and enable greater care for those we serve.

How We Tame the Complexity

Given this environment, what have we found to be effective in managing complexity and focusing our efforts? Some approaches have become ingrained in our workflow, others are still works in progress, and some remain hopeful aspirations for the future.

To start, we have established a North Star for our team. All teams need to know the direction to head in and what is most important at the end of the day. Our North Star is defined by four key principles:

1. Be Vision Focused: Ensure that everyone understands where investments are heading and that there is alignment.
2. Invest in Operational Excellence: Building and operating systems well is challenging. We define operational metrics, monitor our critical systems, and strive for perfection, and we do the hard engineering work to get us closer each day.
3. Create Delightful End User Experiences: Great systems and productivity experiences are intuitive, powerful, and accessible. This requires a focus on building things people love to use. We track our progress by measuring user satisfaction for end user-facing systems.
4. Invest in People Excellence: People are our greatest asset, so we invest in making VA a great place for technologists — whether that’s solving challenges here at VA where they can have meaningful impacts on Veteran outcomes, or developing the skills needed to take their expertise to the private sector.

One notable element of “Be Vision Focused” is that it requires that we move away from the old “IT as order takers” mentality. Instead of asking stakeholders to prioritize our work, we seek to understand their business drivers, industry trends, and concerns. We must deeply understand and analyze the critical processes that “drive the business” and align our investments around those that will have greatest positive impact on those processes. This alignment around the business of our stakeholders helps us develop the right shared vision and roadmap, followed by focused execution.

We have also created a clear cascade of responsibilities, ensuring everyone can “go deep” when needed. We organize around distinct portfolios that contain product lines and products. Product managers must understand everything about their products, portfolio managers their portfolios, and the CIO the entire enterprise. Responsibilities are delegated but never abdicated; we sink or swim together.

We’re striving for greater clarity in our expectations of contractors, too. Often, contractors get into the habit of being in “receive mode” where they’re taking all their guidance from VA’s government employees. But we need true thought partners, not just technical staffing agencies. Contractors should share responsibility for outcomes, push our thinking, and make us better. Accountability must work both ways; we succeed as a united team, and if we fail, we fail together as well.

As perhaps the most complex aspect of IT for all government agencies, we’re driving greater clarity in our approach to cybersecurity, as we remain vigilant against current and future threats. A few things are particularly important, in my mind:

• Given the many interrelated systems at the VA, we believe fervently in Zero Trust as the essence of our strategy. We can’t trust our perimeter to completely safeguard us, and the key tenets of Zero Trust help us create a strong, multi-faceted defense.
• We are investing more in red teaming to find vulnerabilities proactively, as bad actors do daily.
• We are working towards greater system isolation, treating critical assets like directory services and critical systems with the same rigor as cloud providers.
• As I suspect is the case in all federal agencies, we’ve defined a lot of cybersecurity policies, but not all of them are practically achievable. We are refining these policies to focus on critical and achievable goals, ones that push forward our cyber posture and that we are comfortable being held accountable for in our FISMA security audit.
• In a complex world like VA, we cannot accomplish everything overnight. Our approach must be risk-based, articulating a clear rank order of security risks and plans for addressing them. The old adage that you can’t prove a negative is particularly true in cybersecurity, so we use this risk analysis and prioritization to make sure we get incrementally more secure every day.

We are leveraging the natural gates we have in FITARA and ATO to help us tame the complexity. FITARA helps us evaluate whether investments make sense, ensuring alignment with senior leaders, compliance with Section 508 accessibility standards, ownership of intellectual property rights, and comfort about where the solution is hosted. ATOs ensure systems operate reliably and address the most significant cybersecurity risks, with adequate visibility into security processes and shared responsibility for assurance.

Finally, we treat each budget dollar as scarce, with clear prioritized lists for non-funded dollars. We seek to reduce spending in non-strategic areas, and we place unfunded work on a unified priority list to address when additional funds become available.

Reducing complexity and increasing focus at government agencies isn’t easy, and it’s one of the top challenges all CIOs face. But there are several tools that can help tame it. For VA, we’ve found that establishing a North Star for our teams and coupling it with precision execution, a clear cascade of responsibilities, clear expectations of accountability for government and contractors, a risk-based approach to cybersecurity, the fuller use of FITARA and ATOs, and treatment of each budget dollar as scarce has already helped to somewhat tame that complexity. It has also vastly improved our ability to support an unprecedented demand for VA health care, benefits, and services, and it’s helping us deliver a truly exceptional digital experience for the Veterans we serve, their families, and their caregivers.