Obama Offers HealthCare.Gov LessonsAssistance Program Offers Security, Privacy Tips to Agencies
With lessons learned from the misfired launch of HealthCare.gov last fall, the Obama administration is now offering other federal agencies help - including security and privacy tips -- for their own IT rollouts.
The help includes the U.S. Digital Service, a small team of technology and other experts, modeled after the "tech surge" that President Obama called in to fix the problems that plagued the October 2013 launch of the HealthCare.gov website and systems. HealthCare.gov supports most of the state health insurance exchanges under the Affordable Care Act, known also as Obamacare (see Critiquing Insurance Exchange Fixes) .
The new U.S. Digital Service is small team of "the country's brightest talent" that will work with agencies "to remove barriers to exceptional service delivery and help remake the digital experience that people and businesses have with their government," says a Aug. 11 blog co-authored by three executive branch leaders: Beth Cobert, deputy director for management at the Office of Management and Budget; Steve VanRoekel, U.S. chief information officer, and Todd Park, U.S. chief technology officer.
The Digital Service team won't just include technical brainpower, but also other management issue experts from areas such as procurement, human resources and finance.
"The Digital Service team will take private and public-sector best practices and help scale them across agencies - always with a focus on the customer experience in mind," the authors say. "We will pilot the Digital Service with existing funds in 2014, and would scale in 2015 as outlined in the President's FY 2015 Budget."
In addition to making the small team of technical and other experts available to agencies, the administration released the initial version of a Digital Services Playbook, which lays out best practices for building effective digital services like web and mobile applications.
The playbook outlines 13 key "plays" drawn from private and public-sector best practices "that, if followed together, will help federal agencies deliver services that work well for users and require less time and money to develop and operate," the blog authors say.
Among the playbook's 13 plays is one focused on "managing security and privacy through reusable processes." For instance, says the play, "it's critical that our digital services protect sensitive information and keep systems secure. This is typically a process of continuous review and improvement which should be built into the development and maintenance of the service."
The "play" for security and privacy also contains a checklist of several considerations that need to be taken in federal agency IT endeavors. That includes "determining, in consultation with a records officer, what data is collected and why, how it is used or shared, how it is stored and secured, and how long it is kept."
To complement the Digital Services Playbook, the administration also released a draft TechFAR Handbook, a guide that explains "how agencies can execute key plays in the Digital Services Playbook in ways consistent with the Federal Acquisition Regulation (FAR), which governs how the government must buy services from the private sector."
TechFAR explicitly encourages the use of "agile" development -- an incremental, fast-paced style of software development that reduces the risk of failure by getting working software into users' hands quickly, and by providing frequent opportunities for delivery team members to adjust requirements and development plans based on watching people use prototypes and real software.
The TechFar handbook also provides security and privacy best practices and tips related to agile software development.
Brian Evans, a senior managing consultant at IBM Security Services, notes that the best practices outlined in the handbooks should already be known among federal agencies. "However, they are not always practiced consistently often due to unrealistic deadlines or a lack of resources and in some cases a basic lack of leadership and execution. The Digital Services playbook reiterates the fundamentals and provides guidance and direction to make the delivery of policy and programs more effective."
Overall, "I believe the Digital Services team and the playbook will be helpful to government agencies in terms of privacy and security best practices because the approach emphasizes the fundamentals and the overall lifecycle of information risk management," Evans adds.
While agencies are still digesting the offer of Digital Services help from the Obama administration, some federal leaders say most agencies are likely to welcome resources that could potentially complement or assist their own endeavors.
"On the face of it, it sounds like a good idea to have a cadre of folks with high brainpower [available to help]," Stan Lowe, the Department of Veterans Affairs' CISO tells Information Security Media Group. Adding that he hasn't yet seen all the details about the administration's Digital Service plans, Lowe notes that the VA has a similar-sounding effort underway involving technical experts.
"Internally we're building a like capability in the VA," he says. Nonetheless, "resources are always a valuable commodity to any federal agency. If someone is willing to send some folks over for a little while that are really smart and able to help them with problems, I'm sure most agencies would love to take advantage of that"
Meanwhile, Senate committee on homeland security and governmental affairs chairman Sen. Tom Carper (D-Del) says in a statement that the new Digital Service initiative "has the potential to help our government modernize how agencies develop and use technology by harnessing valuable insight from the private sector's best and brightest digital experts."
He adds, "It is my hope that the U.S. Digital Service will prevent future mishaps from occurring as it works to strengthen our agencies' digital systems and help agency leadership figure out what works and what they can do better when it comes to information technology.