Federal CIO's Exit: Impact on IT Security

VanRoekel Takes on New Role in the Fight Against Ebola
Federal CIO's Exit: Impact on IT Security
Steven VanRoekel had served as federal CIO since 2011.

The unexpected departure of Steven VanRoekel as the federal chief information officer likely will have little direct impact on the Obama administration's cybersecurity initiatives.

See Also: IoT is Happening Now: Are You Prepared?

VanRoekel is leaving the White House to become the chief innovation officer at the United States Agency for International Development, working with the agency's Ebola response team. In his new job, VanRoekel will advise the agency's senior leaders on using technology and data to help ensure the U.S. government's response to the Ebola outbreak is coordinated most effectively and efficiently.

The federal CIO, statutorily the administrator of e-government and information technology in the White House Office of Management and Budget, is the top government official whose sole responsibility is to oversee federal IT and IT security. But beginning with his predecessor, Vivek Kundra, and during his tenure, some key responsibilities of overseeing the implementation of federal government IT security programs shifted to the Department of Homeland Security's National Protection and Programs Directorate, with its deputy undersecretary for cybersecurity - now Phyllis Schneck - shouldering many of the executive branches' cybersecurity responsibilities.

For instance, DHS is shepherding civilian agencies' rollout of continuous monitoring, known in government lingo as continuous diagnostics and mitigation (see Continuous Diagnostics: Getting Started).

In addition, the White House cybersecurity coordinator, Michael Daniel, helps synchronize administration initiatives regarding implementation of cybersecurity programs in the federal government.

Codifying Existing Practice

Legislation to reform the Federal Information Security Management Act, the law that governs federal government IT security, that's pending in the Senate would formally transfer some of OMB's cybersecurity authority to DHS (see FISMA Reform Awaits Another Day).

Still, legally and in practice, the federal CIO's office has a lot of sway over federal IT security. The office is within OMB, which approves agencies' IT security plans, as well provides direction on how agencies should implement IT security practices. The federal CIO also serves as director of the federal CIO Council and leads its activities.

Mark Forman, the federal government's first e-administrator in the early 2000s, says that until a law is enacted, Congress will hold the federal CIO ultimately responsible for government cybersecurity regardless of the functions carried out by DHS. "The way I looked at this," he says, referring to when he held the job, "if you tried to misstate the facts, or diminish the significance of something, you're at risk of being held in contempt of Congress."


Steven VanRoekel on the Federal CIO's approach to IT security.

VanRoekel, in a statement, said his goal when he assumed the post three years ago was to help move federal IT forward into the 21st century through innovation. "I am proud of the work and the legacy we will leave behind, from launching PortfolioStat to drive a new approach to IT management, the government's landmark open data policy to drive economic value, the work we did to shape the mobile ecosystem and cloud computing, and the culmination of our work in the launch of the new Digital Service - we have made incredible strides that will benefit Americans today and into the future."

PortfolioStat helps agencies manage their information technology portfolios. Digital Service is an initiative to help agencies simplify the delivery of government services to citizens and businesses by using digital technologies.

Focus on Cloud, New Technologies

During his tenure, VanRoekel helped oversee federal agencies' secure migration to cloud computing platforms and the adoption of mobile technologies.

"Security has to be at the forefront of thinking around these technologies," VanRoekel said in a 2013 interview with Information Security Media Group (see Federal CIO on Adopting Emerging Technologies). "Just using technology for technology's sake is never a good tactic."

Deputy OMB Director for Management Beth Cobert and VanRoekel's boss credited VanRoekel and his team as having "worked to transform the government's approach to technology by launching new efforts around open data, mobile and smarter IT delivery in government."

No successor has been named, but Deputy Administrator Lisa Schlosser will oversee the Office of E-Government and Information Technology until one is named. The White House would not say whether Schlosser is under consideration as a permanent replacement for VanRoekel.

Known as the federal deputy CIO, Schlosser is a former Army intelligence officer who served as CIO at the Department of Housing and Urban Development and chief information security officer at the Department of Transportation. Schlosser also served as director of the Office of Information Collection with the Environmental Protection Agency's Environmental Information Office.

Swift CIO Search Promised

"With Steve's departure, the president and his team will work to swiftly fill this very important role with another top talent," an administration official says. "The next CIO will work closely with OMB, agency and White House leadership, including the new CTO, Megan Smith."

Karen Evans, who served as administrator for e-government and IT in the Bush White House, characterizes Schlosser as a good deputy. "I am sure she will keep focus on the administration's priorities until the president appoints a successor," Evans says. "The successor will be focused on implementation in order to accomplish as much of this administration's priorities in the remainder of the term."

Among the administration IT priorities Evans identifies are assuring privacy, using information technology to make government more accessible to citizens, consolidating data centers and encouraging agencies to adopt cloud technology, when feasible.

Forman, Evan's immediate predecessor, sees the next federal CIO being engaged in three main areas: PortfolioStat, continuous diagnostics and mitigation and a risk-based approach to cloud deployment. "As we shift to the cloud, [the new federal CIO must] understand how to take advantage of it while maintaining [security] controls," says Forman, vice president at systems engineering provider TASC.

Though the post is the equivalent of a cabinet agency's undersecretary, which requires Senate confirmation, the federal CIO is a political appointee who does not require Senate confirmation. The confirmation process can politicize a position, something Forman says lawmakers did not want to happen when they created the e-administrator post in 2002 as part of the E-Government Act. "Everybody agreed that position shouldn't be politicized because the job is so important," he says.

Whomever President Obama names as the next federal CIO, that person is expected to hold the post only for the two-plus final years of his presidency.

VanRoekel, a onetime speech writer and strategy assistant to Microsoft founder Bill Gates, has served as an administration utility player, being placed in key positions that require technology know-how. Before being tapped as federal CIO in 2011, he joined the administration in 2009 as managing director of the Federal Communications Commission. The USAID job continues that use of VanRoekel's skills.

Transforming Government Via Technology

"While serving as chief information officer of the United States, Steve transformed the way the federal government embraces innovation, and enabled USAID to become more efficient and effective," says Rajiv Shah, USAID administrator and VanRoekel's new boss. "With his unique talents and expertise, Steve will help us harness technologies like open data and mobile platforms to reach communities and households with powerful and life-saving information to help stop the devastating Ebola outbreak."

It's a theme VanRoekel expanded on: "Technology is not the solution to this extremely difficult task, but it will be a part of the solution, and I look forward to partnering with our federal agencies, non-profit organizations and private sector tech communities to help accelerate this effort."


About the Author

Eric Chabrow

Eric Chabrow

Host & Producer, ISMG Security Report; Executive Editor, GovInfoSecurity & InfoRiskToday

Chabrow hosts and produces the semi-weekly podcast ISMG Security Report and oversees ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.




Around the Network