information security


information security

A Best Practices Guide to Information Security

Monday, March 28th, 2011 - 13:52
Organizations take great pains to use technology to defend against outside attacks; they work hard to spot and stop the malicious insider who is willfully trying to do ill to systems. However, most organizations fall short in equipping their workers with best practices to make them part of the solution to information security.

Chad L. Fulgham

Wednesday, January 5th, 2011 - 12:01
Mr. Fulgham is responsible for the FBI’s overall information technology (IT) efforts, including developing the FBI’s IT strategic plan and operating budget.
Radio show date: 
Sat, 01/22/2011
Intro text: 
Mr. Fulgham is responsible for the FBI’s overall information technology (IT) efforts, including developing the FBI’s IT strategic plan and operating budget.
Audio segments: 
PDF transcript: 

Chad L. Fulgham

Wednesday, January 5th, 2011 - 12:00
Mr. Chad Fulgham was appointed as the FBI’s Chief Information Officer (CIO) on December 8, 2008. Mr. Fulgham is responsible for the FBI’s overall information technology (IT) efforts, including developing the FBI’s IT strategic plan and operating budget. He is also responsible for management of all FBI IT assets, which includes legacy equipment and infrastructure as well as evolving implementation of new and modernized systems and services to accommodate mission priorities.

Casey Coleman

Monday, December 6th, 2010 - 13:14
Ms. Coleman is the Chief Information Officer of the U.S General Services Administration
Radio show date: 
Sat, 12/18/2010
Intro text: 
As CIO she is responsible for managing the agency's $600 million IT budget and ensuring alignment with agency and Administration agency and administration strategic objectives, information security, and enterprise architecture.

Casey Coleman

Monday, December 6th, 2010 - 13:02
Casey Coleman is the chief information officer for the U.S. General Services Administration. She oversees the Office of the Chief Information Officer, managing the agency’s $600 million information technology budget and ensuring alignment with agency and administration strategic objectives and priorities.

Robert Howard interview

Friday, June 6th, 2008 - 20:00
"A career in public service is rewarding. In the VA, we have a very clear mission: to support veterans and all those who have given a great deal to our country."
Radio show date: 
Sat, 06/07/2008
Intro text: 
"A career in public service is rewarding. In the VA, we have a very clear mission: to support veterans and all those who have given a great deal to our country."
Magazine profile: 
Complete transcript: 

Originally Broadcast June 8, 2008

Washington, D.C.

Announcer: Welcome to The Business of Government Hour, a conversation about management with a government executive who is changing the way government does business. The Business of Government Hour is produced by The IBM Center for The Business of Government, which was created in 1998 to encourage discussion and research into new approaches to improving government effectiveness. You can find out more about The Center by visiting us on the web at

And now, The Business of Government Hour.

Mr. Morales: Good morning. This is Albert Morales, your host, and managing partner of The IBM Center for The Business of Government

To quote President Lincoln's promise, "To care for him who shall have borne the battle, and for his widow and his orphan," the Department of Veterans Affairs provides benefits to U.S. military veterans and their families. Though much has changed over the years, VA's mission remains constant: to provide competent and compassionate high-quality health care benefits and memorial services to the country's veterans. The VA has had a long, successful history of using information technology to meet its mission.

With us this morning to discuss VA's efforts in transforming its IT infrastructure and operations is our very special guest, Bob Howard, Assistant Secretary for Information and Technology, and Chief Information Officer at the U.S. Department of Veterans Affairs.

Good morning, Bob.

Mr. Howard: Good morning.

Mr. Morales: Also joining us in our conversation is Tom Romeo, IBM's general government industry leader.

Good morning, Tom.

Mr. Romeo: Good morning, Al.

Mr. Morales: Bob, let's start with some basics. Could you take a few moments to give us an overview of the history and mission of the Department of Veterans Affairs?

Mr. Howard: Sure. A history of providing benefits to American veterans goes back quite a ways. In the very early days, with the Pilgrims, in fact, laws were passed that the colony would support soldiers that happened to be disabled -- you know, some wars with local Indians, in fact. The Continental Congress, 1776, provided pensions for soldiers disabled during the Revolutionary War, but most benefits in those days came from state and local communities.

Over World War I, at that time, disability compensation insurance and that sort of thing were handled by three different federal agencies. This is around the 1920s. The three different federal agencies involved were the Veterans Bureau, the Bureau of Pension of the Interior Department, and the National Home for Disabled Volunteer Soldiers. So that was what happened after World War I.

The Veterans Administration was actually established in 1930. And then in 1973, the Veterans Administration added to their benefit portfolio, if you will, the National Cemetery system. But the Department of Veterans Affairs as we now know it today was established as a cabinet-level agency on the 15th of March 1989. And as probably most people realize, it is now the second-largest cabinet-level department in the United States.

Mr. Morales: So on that note, can you give us a better sense of the scale of the Veterans Administration, how perhaps it's organized, size of its budget, staff, and the geographic footprint?

Mr. Howard: It's a very large agency, over 240,000 employees. The veteran population that is on the roll, so to speak, is about -- I think it's between 7- and 8 million. Visits to our hospitals in a given year is over 5 million. So it's quite massive. We cover all the states, of course, across the country, and even have organizations in other parts of the world -- Puerto Rico, Guam, and the Philippines -- so a very extensive organization.

From an IT standpoint, a couple of years ago, the organization was a typical staff agency, between 3- to 400 people. But now, due to the centralization that has taken place over the last couple of years, our organization is almost 7,000 strong, located all over the country.

And we're organized in five general areas. In fact, these are Deputy Assistant Secretary positions, if you will. Information protection and risk management has of course received very high priority over the last couple years, ever since May of '06, in fact. And it's really a field organization, yet it has security offices that are located in most of the facilities throughout the country.

We have a Strategy, Policy, and Plans Deputy Assistant Secretary who focuses on future kinds of activities. We have one that deals with resource management, managing the budget and the human resources part of information technology. And then we have a rather large organization that focuses on development, almost 1,000 individuals. And these are the folks that put together new development programs, adjustment to commercial off-the-shelf software and whatnot. And then the last very large organization is Operations and Field Development. This is the biggest particular part of our organization, and they're responsible for keeping things humming along at the individual hospitals and regional offices and what have you.

We also have an organizational management activity that at least is in place for a little while as we continue to try to reorganize IT in the VA. You know, we're not quite done on that yet. We have an oversight and compliance capability that's very aggressive, very robust. In fact, we put that together right after the breach that we experienced by in the '06 time frame, and that has been very helpful to us in terms of identifying problem areas and getting some focus on things that need to be fixed.

And then we have an organization that deals with quality and performance, which that's not a big organization, but obviously a very important one.

Budget-wide, the VA budget is approaching $90 billion. And our particular part of it in information and technology, just to give you a feel for it, in our '09 request that is now up there on Capitol Hill, it's about $2.4 billion to support information and technology, both development and operations and any maintenance expenses that need to take place. And that particular amount does include over $700 million to support staffing, and as I mentioned earlier, the staffing is almost 7,000 employees.

A very, very large organization. IT has been centralized over the last couple of years, and again, we are still maturing as an organization.

Mr. Romeo: Bob, can you tell us a little bit more about your specific responsibilities and duties as Assistant Secretary for Information and Technology and the CIO at VA?

Mr. Howard: Well, yes. I mean, I serve as the Chief Information Officer. And there are federal laws that address that particular position, so the responsibilities are quite broad. I advise the Secretary, of course, on all matters pertaining to acquisition and management of IT systems. I'm responsible for overseeing the operation of VA's computer systems to telecommunications networks that support medical, benefit, and cemetery activities.

The very important part of all this is not just computer software, but information protection. You know, that's a really big responsibility of the CIO, cybersecurity and all that. That's a very important part of the CIO's responsibilities.

Mr. Romeo: In regard to your responsibilities and duties, what are the top three challenges that you've faced in your position, and how have you addressed those challenges?

Mr. Howard: I'd say the biggest challenges orient on the human resources part, making sure that we can bring on board and retain high-quality individuals, because one of my first priorities is to establish a high-performing IT organization.

Another area that is tough right now is standardization, and that's another key priority of ours as part of the reorganization is to standardize IT infrastructure and business processes. It's difficult, because one of the unique things about the VA, it's a decentralized organization. And when you have a decentralized organization, it's sometimes very difficult to keep things standardized. It's operated in a decentralized way, quite frankly, deliberately to improve the quality of care. And over the last -- during the '90s, Dr. Kizer was a key individual in turning around the quality of care in the VA. And he did that through decentralization, and holding individuals accountable based on a set of criteria. When we did that, we probably did not pay enough attention to standardizing from an IT standpoint, and we've now recognized that that has created some problems. And that's one of the main reasons why the IT reorganization took place, to try to bring a little more standardization and visibility over financial systems.

And while I'm on the financial part, that's another challenge. Of course, this is expensive business to get adequate funds appropriated from the Congress, not only for software and equipment and what have you, but in order to support the staffing needs that we have. And there are areas where we're concerned about adequate numbers of staff. In fact, we've got a study going on right now to try to determine what is the right staffing mix at the various hospitals, regional offices, and what have you, because it has not been done in the IT arena.

For example, in Veterans Health Administration, they have methodologies to determine how many nurses and how many doctors might be needed for certain sizes of facilities. We don't have anything like that in IT, and we're generating that right now. In fact, helping us in that particular study are individuals who do that for doctors and nurses and what have you, so that'll be very helpful to us.

The last thing I'll say on the challenge side is the IT appropriation. In 2006, Congress established an information and technology appropriation for the VA. I think we're the only government agency that has a separate appropriation, and it's a line item appropriation. And whenever you have a line item appropriation, there's a challenge making sure you get that right up front. We sometimes miss a little bit on that. We've been working with this appropriation now for a couple of years, and it has forced us to plan ahead and to pay much more attention to the intricacies of financing IT.

Mr. Morales: So it sounds like human resources, standardization, financial management, and IT appropriations keep your day pretty busy then.

Mr. Howard: Yes, and also supporting our customers in the field, with the hospital directors and regional offices. You know, when we established organization of IT in the VA, there was a lot of angst out in the field about having their IT staff transferred to a central organization, and that still exists to some degree. So that's a challenge, to make sure we can produce and can -- demonstrated performance is what's going to make the difference, and we're still working on that.

Mr. Morales: Now, Bob, I understand that aside from a 33-year career in the Army, you also spent about 9 years in the private sector. Could you tell us a little bit about how you got started? And more importantly, how have these experiences prepared you for your current role today?

Mr. Howard: Well, first of all, the years in the Army of course were very helpful in terms of almost anything you do, because the Army spends a lot of effort on leader development, training, and education of its officers. In fact, the military does an exceptionally good job on that. And, quite frankly, we're trying to adopt some of those techniques for our own people. The years in the Army, I spent some time in, of course, command assignments and also in operations research kinds of assignments, which dealt with building simulations and that sort of thing, so IT-related.

In the private sector, the company I worked for is the Cubic Corporation, and one of their main areas of focus, if you will, was simulation and information technology, so that was very helpful. A lot of the work that I did when I was with Cubic was in Central and Eastern Europe, helping those countries get into NATO, westernize their methods and what have you, and quite a lot of dealt with information technology.

And then the last, when I came to the VA almost three years ago now, I became the senior advisor to the Deputy Secretary. This was before -- about a year before I took over as the CIO. And in that job assisting the deputy, he had me involved with a lot of IT programs; in fact, modernization of the electronic health record and things like that. So I became pretty familiar with VA IT even before becoming the CIO.

Mr. Morales: That's great.

What about the VA's IT transformation effort? We will ask Bob Howard, Assistant Secretary for Information and Technology, and Chief Information Officer at the U.S. Department of Veterans Affairs, to share with us when the conversation about management continues on The Business of Government Hour.


Mr. Morales: Welcome back to The Business of Government Hour. I'm your host, Albert Morales, and this morning's conversation is with Bob Howard, Assistant Secretary for Information and Technology, and Chief Information Officer at the U.S. Department of Veterans Affairs.

Also joining us in our conversation is Tom Romeo, IBM's general government industry leader.

Bob, you talked a little bit in the last segment about VA's IT realignment and some of the transformation efforts that you've undertaken. Could you tell us a little bit more about this? And specifically, how does this new model differ from VA's previous mode of operations?

Mr. Howard: The decision to transform the IT management system in the VA was made to correct some longstanding deficiencies in certain areas, and a lot of this came from the Congress. They were very concerned about it. With the decentralized way that the VA was operating as it pertains to IT, they could see different kinds of computer systems and different applications and what have you being used throughout the VA; very difficult to tie some of that together.

The reasons for the reorganization are several. The VA was not maintaining a standardized IT infrastructure. Interoperability of IT systems was a problem. The compatibility of IT programs was also a problem. Also, the financial aspect of it was of some concern to the Congress. It was they were not satisfied with the visibility that they were getting over where the IT money was being spent and that sort of thing. And so a lot of pressure from the Congress to centralize the activity and change from a decentralized way of doing business.

In the past, under a decentralized model -- if you were a hospital director, for example, and you needed some computer application or whatever, you could just go get it, particularly where you didn't have an IT appropriation to worry about. And quite frankly, if any one of us was a hospital director, you'd probably like that, as long as you got the money you needed and what have you. But when you take a look across a large organization, if that kind of modus operandi, if you will, goes on for a period of time, you do begin to lose from the standardization standpoint. And that might have been okay 15 or 20 years ago, but in this day and age, with the web and all of that, it creates problems. So more than anything else, it was a standardization focus, which is why the Secretary finally decided to do that.

And he took it in a couple of bites. First of all, this is under Secretary Nicholson, the previous Secretary of the VA, the first one, he made a decision to consolidate operations and maintenance, the day-to-day functions of running IT. And then several months later, he decided to include the development part of it. And so what we have right now is called a single IT leadership authority for the VA that covers all of the operations and maintenance, the development, all of the security stuff, the handling of the IT appropriation, all of that.

Mr. Morales: So what are some of the key benefits and advantages of moving to this new model? And could you elaborate perhaps on some of the few principal key elements of this new model?

Mr. Howard: Visibility over IT activity throughout the VA is clearly, clearly an advantage. And we are discovering problem areas that need to be fixed. To some degree, we're beginning to solve the problem of the haves and have-nots. For example, in the past, if you were a hospital director or an RO director, you may have spent money on IT infrastructure and kept things up to speed, if you will, and you may not have. I mean, it was sort of up to the individual directors. The IT reorganization is helping now to get visibility over areas that were not adequately resourced in the past and do need to be brought up to speed, so to speak, particularly in the infrastructure arena.

The personnel part, we're putting together a career development program for IT individuals, IT employees. That existed to some degree in the past, but was not very robust. So we believe the reorganization will be helpful to us in that area.

I mentioned the appropriation. Financial visibility is much greater than it was before.

The other advantage that I want to comment on has to do with security. You know, everybody remembers the breach of May of '06. And then we reorganized and began to move down the path towards a central IT leadership authority. That has given us much better capability to mandate security methodologies and what have you throughout the VA. To give you an example, we encrypted all of the VA laptops in 2006. That would have been enormously difficult under the previous decentralized way of doing business.

The final thing I'd like to say on that is, as part of the reorganization, which the studies and the assistance, of course, was provided by IBM, what IBM also did was produce 36 IT processes that we are now implementing. In fact, quite frankly, it's taken us a little longer than we thought because they're very complex. And whereas we wanted to be through with all that by this summer, it'll probably take us a little bit longer because they're very good, but it's just taking longer than we anticipated.

Mr. Morales: So on this note, Bob, this obviously represents a significant transformation for the organization. What are some of the key lessons that you're learning from this transformation, and what advice might you give another federal agency who's perhaps thinking about large-scale change such as this?

Mr. Howard: One of the first -- in fact, the most important is senior leadership commitment. If you don't have that, you can forget it. Because anytime you have to have a change that is so massive and affects so many people, you're going to get resistance. You really are. And that's why the senior leadership commitment is extremely important.

We started out in sort of an incremental path, then realized a full-up transformation is probably a much better way to go. Piecemeal implementation would not really do as well. Aggressive schedule, we feel that speed and intensity is a strategic asset to some degree. That's a mixed bag, because sometimes when your schedule is overly aggressive, you may head in a direction that you really didn't want to go in. We've had a few hiccups along those lines. Aggressiveness and speed does help put things in place.

Performance measures, we are working on that, not only to focus in on what needs to be delivered, so to speak, but to hold our senior leaders accountable for achieving success.

And then the last one I'd suggest is be decisive. You know, develop the plan and stay with it, stay focused. So those were some lessons learned.

I would like to say one thing, though, and it sort of flies in the face of setting an aggressive schedule, and that is, it would have been helpful perhaps for us to have a more in-depth assessment of existing conditions before we actually moved out on this. I think if it's the one thing I would have liked to have seen done, it's that. We probably didn't realize how important it was. But we're finding a lot of issues and problems that we were not aware of, and those would have been uncovered, perhaps. However, that could have slowed things down and it could have stopped the whole initiative, but I'll throw it out there. You know, if it can be done, I think it's -- you need to know what it is you signed up for.

Mr. Romeo: So, Bob, you've talked about a number of processes and lessons learned. IT governance is critical to the success of an effort as encompassing as the VA IT realignment. Could you tell us more about VA's plan to enhance governance through the establishment of a set of governance boards?

Mr. Howard: Yeah, Tom. In fact, the government boards have only recently begun over the last probably six months. It took us a while to put the concept in place. But basically, the procedures we're using, the concept, if you will, is to link in to a very important overall board for the VA that's called the Strategic Management Council, SMC. That's headed by the Deputy Secretary. It includes all of the Assistant Secretaries and the senior officials and what have you.

The SMC always did have an IT component that fed information into that body. And so what we did, we expanded on that particular part of the SMC construct and formed three subordinate boards, and this is the key governance thing now that deals with IT.

The first one, we call the Information Technology Leadership Board. And I chair that one, and equivalent officials, of course, sit on it. That's a high-level IT board. It determines the IT goals and approves the IT budgets and programs and resolves issues of the two subordinate boards that I'm going to talk about next.

And then, so, under the ITLB, under the Leadership Board, is two boards: one of them is the Business Needs and Investment Board -- we call it the BNIB, and the other one is the Planning, Architecture, Technology, and Services Board. We call it the PATS. The basic difference between the two, the BNIB is more a near-term kind of activity; budget formulation, budget execution, that kind of work. That one is chaired by the Principal Deputy Assistant Secretary for IT. And he also has the wherewithal, according to the governance construct, to have other Deputy Assistant Secretaries chair that. So for example, if the BNIB happened to be dealing with an information protection issue, during the whole meeting, he could have the Deputy Assistant Secretary for Information Protection chair that particular meeting. That's a provision that we put in the construct.

The PATS Board deals more with future-type work: architecture, planning. And we've recently begun developing a program process not unlike what goes on in DoD, where you lay programs out of a multiyear period. In fact, we're putting together the first three-year multiyear program for IT, and that particular board is orchestrating it. So they're more future-oriented. Those are the boards.

Now, there are other working groups and what have you that feed those three organizations, so there's other activities at a lower level. But by and large, it's the SMC, the Leadership Board, the BNIB, and the PATS that we use to do our work.

Mr. Romeo: The VA is rightfully proud of its leadership role in health information technology. Would you tell us about the VA's effort to modernize its Veterans Health Information System and Technology Architecture, also known as VistA? What are the goals for the VistA modernization, and how does this modernization effort seek to transform VistA from a hospital-based system to a patient-centered system?

Mr. Howard: There's a lot of activity going on there. Obviously, we want a better continuity of care, where electronic health records can be shared not only within the VA, but with other government agencies, like DoD and what have you.

The VistA system was built quite a while ago. It's an older code. It's written in a MUMPS code. What we want to do is transform that so that it's more Java-based, can be used in a web environment, and also interface a little better with, as I mentioned, other government agencies. It's very, very complex. You know, the work, when you really take a look at VistA itself, it sort of grew up over the years, has a lot of separate applications that are interwoven. It's very difficult to pull it apart so you can build the piece-parts back together. We're trying to use a service-oriented architecture to do our work, building packages that can be used not only to support health care, but benefits as well. An example of that is the identity management component, for example, of the health record could also be used for benefits activities or what have you, and other. That's the SOA approach, the service-oriented architecture.

We are moving to a patient-centric environment, where veteran health information can be shared even easier than it can already. And as you know, we already have a good deal of that, but we want to improve on it and make it seamless, where no matter where the veteran goes, the access to his or her medical information is very easy, to the point where it can actually be accessed by other government agencies, as I mentioned a couple of times now. There's a big effort underway to better link DoD and VA in the electronic health record arena. I think you're probably aware of some of that. The most important aspect of that, by the way, is the standardization of data. It's not so much the application as it is the data that needs to be standardized and that can be used by almost any application.

But with that said, we do have some studies underway to determine what is the best way to try to combine the DoD electronic health record and the VA, and that work is ongoing. It's a very high priority with our current Secretary, General Peake. He's putting a lot of emphasis on that.

We're also trying to better understand the ongoing activity just to keep our current electronic health record healthy and moving along, and at the same time move as rapidly as we can to modernize it. In fact, we've had several large-scale meetings with our people who are very familiar with the electronic health record, trying to lay that out at a master plan, which really does not exist, that ties the current system to intermediate solutions, and then on to the future HealthyeVet environment, which is the future electronic health record.

It's striking how complex this particular area really is. I mean, there are a lot of tentacles, and you have to be careful as you modernize this not to break something and not to forget some key component of an application that is very important to doctors and nurses and what have you.

Mr. Morales: Now, Bob, we hear a lot about collaboration and partnerships among agencies and with the private sector to achieve mission results. I only have a minute left in this segment, but what kinds of partnerships are you developing now to improve IT operations and outcomes at the VA, and how do you see these partnerships changing over time?

Mr. Howard: Yeah. There's quite a bit of activity with DoD. I mean, it's very, very intense, much more so than it was a year ago. That's the big one. Health and Human Services, of course, is very important. We also -- from a data exchange standpoint, Medicare, CMS is a very important activity to us as well.

There are also associations with universities. In fact, that's a very important aspect of the health environment in the VA. We call them "affiliates," where we have very strong linkages to medical schools throughout the country. In fact, you'll notice if you go to a VA hospital, for example, generally they're located right near a civilian university, and sometimes several universities, almost like a complex of medical schools right there together. So those relationships are extremely important. In fact, many of the doctors that work in VA or that work across the country in the private sector got their training linked to VA in some way. So those are very important relationships and partnerships.

And then, of course, there's the private sector, contractors in a number of different areas. In the IT arena, we get a lot of assistance from the private sector in helping us run our electronic health record and fix our infrastructure and what have you. That's an enormously important part of IT. In fact, when you look at the laundry list of contracts that we have, in the IT arena, it's quite extensive. We have over 1,300 in a given year and almost 250 of them are over $1 million, so it's huge -- the contracting activity. So the bottom line is we couldn't operate without a lot of help.

Mr. Morales: What about VA's efforts to secure its IT systems and data?

We will ask Bob Howard, Assistant Secretary for Information and Technology, and Chief Information Officer at the U.S. Department of Veterans Affairs, to share with us when the conversation about management continues on The Business of Government Hour.


Mr. Morales: Welcome back to The Business of Government Hour. I'm your host, Albert Morales, and this morning's conversation is with Bob Howard, Assistant Secretary for Information and Technology, and Chief Information Officer at the U.S. Department of Veterans Affairs.

Also joining us in our conversation from IBM is Tom Romeo.

Bob, could you tell us a little bit more about data security assessment and the strengthening of controls program, and how it seeks to enhance VA's protection of personal information data security. More specifically, what role does this program play in facilitating the Secretary's priority of making VA the gold standard of data security?

Mr. Howard: That program was actually established very shortly after the breach that we had in May of '06. The intent was to first and foremost conduct a very robust assessment of existing conditions from a security standpoint across the VA. And we had several weeks during which we received various briefings from the various departments and what have you, laying out what their situation was. We also had assessments in the IT arena of data security procedures and what have you. So that was the assessment part. We learned a lot about some of the things that we needed to fix.

And then the strengthening of controls is actually broken down into three areas. We have a technical type of controls, like encryption, and management controls, where you make sure that your policies and directives are properly written and very clear, and then operational kinds of controls, like making sure that procedures are correct and the training is properly executed and what have you. It is in fact the most important overarching program that we have in place to achieve the gold standard. And what it is, it's a massive action plan. There's about 400-plus separate actions. Each one of them contribute in some way to tightening the security throughout the VA.

An example is to improve the way we do background investigations, to improve the way we do identity checks, to improve our access management, to improve the way we conduct patch management and change controls and things like that, to improve on our capability to monitor our networks and to encrypt our products and what have you. So if you can visualize a massive action plan, that's what this is. Not a week goes by that we don't add some other action to it that we realize needs to take place. So it's very important. We spend -- I get briefed on it very often. Every couple of weeks, the folks come in and let me know how they're doing.

Another key component of this particular action plan are all of the IG and GAO deficiencies that have been cited over the years. That's a major subset of this particular action plan. And in fact, we've consolidated those kinds of deficiencies into what we call "champion areas." I've designated by Deputy Assistant Secretaries -- and as you know, I've got five of them -- I've designated each one with responsibilities to oversee the corrective measures associated with the IG deficiencies and the GAO deficiencies.

Mr. Morales: Great. So continuing on this theme, could you elaborate a little bit more on your efforts around the encryption of data, and enhancing the VA's security incident management and monitoring processes?

Mr. Howard: Well, Al, one of the first things we did was to encrypt VA laptops. The mandate was to put full hard drive encryption on all VA laptops. In fact, I believe the number now is almost 18,000. Now, there were some that we ran into where we could not put the encryption, particularly laptops that were part of a medical device, where we actually could not change them because if we did, we'd have to go back through F -- you know, Certification.

And the other areas that we would have liked to encrypt are personal laptops. You know, for example, we have physicians, part-time physicians especially, that are using their own equipment. But what we have mandated is if you are interfacing with sensitive information, you are required to have your equipment protected, so at least we have that provision in place.

We also mandated the use of encrypted thumb drives. We were getting too many instances of individuals losing thumb drives that had fairly large quantities of health records on the thumb drives. So what we did is we outlawed those, said you can't use them on VA in fact, if you try to place an unencrypted thumb drive in a VA computer, in one of the ports, it will not work. We have a suite of encrypted thumb drives, various types, that are FIPS-compliant that will operate with VA equipment, so that's been done. And there's no restriction. In other words, if a supervisor says, yes, this particular employee needs an encrypted thumb drive, we issue him one and we track them, also. So those two initiatives were very important.

We're also mandating the encryption of sensitive information across the board. In fact, there's a key handbook that we published last fall, Handbook 6500, that's got a lot of policies in it pertaining to sensitive information, what you can and cannot do. The protection aspect is very, very high.

Protection of e-mails, we have of course public key infrastructure, PKI. You know, I have my little BlackBerry here and I can send messages that are fully encrypted. We also have other encryption products that are being deployed across the VA.

And the other thing that we've recently begun to deploy is better port monitoring software and network monitoring software. The point that -- we want to get into a posture where we can, if we see a session going on, if somebody seems to be downloading huge amounts of sensitive information, we can peer into that and make some queries and find out what's going on. We can also prohibit the downloading of information from a remote computer. Now, this particular capability is not fully deployed yet because, as you can tell, it can get rather onerous. So we're going through this process very carefully, because what we don't want to do is impact the treatment of veterans or anything in a negative way, so we're trying to be very careful.

And there are other initiatives that we have going on, all focused on creating a very secure environment in the VA, an organization that deals with massive amount of information. You know, we are an information organization, whether it's health information, benefit information, or what have you.

On the incident work, right after the incident happened in May of '06, we put in place a very robust incident management capability. In fact, it's probably one of the best in government. We don't even ask questions. When someone says they may have an incident, we report it right away to the computer emergency response team for the federal government. And so as a result, we see a lot of them. Most of them, fortunately, are not serious, but every once in a while, we do get an incident that is a problem. And we have a capability in place now to deal with those as rapidly as we can, to notify any affected veterans or employees that happen to be at risk, and also offer them credit monitoring. You know, if we believe that their information really is at risk, we do that. We do that as a matter of course. It's a very robust process that's been very helpful.

That particular process is always also helpful to us in increasing awareness of the importance of protecting information. People know this is serious, and they don't hesitate to report if they see something wrong. If an incident has happened, employees report it. It's very good.

Mr. Romeo: Bob, on that vein, a major cybersecurity concern of any company or agency is their employees not thinking about risks, and being careless about personal information and data security. What steps has VA taken to create or cultivate a culture of accountability and protection of sensitive personal information to ensure continued improvements in addressing such security weaknesses?

Mr. Howard: Well, we have improved the training programs that all employees are required to take in two areas: security training and privacy training. Those are mandated training programs for all employees. The other initiative that we've begun, and it's mandated in Handbook 6500, is those rules of behavior. You know, before an employee can have access to sensitive information and to our computer systems, they have to sign a rules of behavior. And those are more extensive than they were before. Now, we're not having employees sign those until they're adequately trained. You know, we're not asking them to sign something that they're really not that familiar with, but that's a very important part of it.

Communication is more extensive than it was in the past in a number of venues, through the Internet announcements and what have you, and publications that go throughout the VA. We also have conferences that are very important. In fact, the annual one we have is InfoSec, Information Security, conference that takes place every year. There are several very good separate training tracks that individuals can go to orient in all aspects of data security.

Mr. Romeo: VA has made some significant progress towards the development of secure interoperable health technologies that support health sharing with the Department of Defense. To that end, could you elaborate on the VA-DoD information sharing effort and its status to-date?

Mr. Howard: Yeah. Actually, it has improved, and VA and DoD right now bi-directionally are sharing clinical-pertinent health data that is available electronically, like for example, laboratory results, medication/prescription data, allergy information, radiology reports, discharge summaries, and other narrative documents that are prepared by physicians in either VA or DoD. It continues to increase. For example, beginning to share information from the theaters and information that's available in either VistA or AHLTA, AHLTA being the DoD electronic health record.

Initiatives in support of wounded warriors, it's very intense in terms of sending scanned images, even of paper, in-patient records between some of the major facilities, like Walter Reed and Brooke Army Medical Center in Bethesda. This is now going on, where images are being shared across the board. A lot of effort here in terms of sharing information, and also ability to view some of this remotely. You know, there is capability within VistA to view information remotely. What we want to ultimately move to is an environment where we have a lot of this information that is computerized and not just image, where you can actually work with the information that's sent.

Mr. Morales: Bob, it's been my experience that initiatives such as these that we've been talking about -- IT transformation, increased efforts around security and privacy -- that they typically encounter a tremendous amount of internal resistance to change, and especially the issues around the IT transformation where you talk about centralization. How has the VA handled these changes and managed any resistance to these efforts?

Mr. Howard: You know there's always resistance to a change as big as the one we're experiencing. We have used some basic principles to help us through that: increased communications, satellite broadcasts, not only from IT, but also getting some of the senior guys involved, like the Secretary and the Deputy and what have you. Communication is absolutely critical not only throughout the IT organization, but to those who we support.

The other complicating factor to this is the IT appropriation, because sometimes there are concerns and complaints from the field that really have less to do with the organization than with the fact that money is much tighter than it was before. So we're trying to make sure those communications take place. But we got a lot more that we need to do in this area, that's for sure.

Mr. Morales: Great.

What does the future hold for the VA and its IT operations? We will ask Bob Howard, Assistant Secretary for Information and Technology, and Chief Information Officer at the U.S. Department of Veterans Affairs, to share with us when the conversation about management continues on The Business of Government Hour.


Mr. Morales: Welcome back to our final segment of The Business of Government Hour. I'm your host, Albert Morales, and this morning's conversation is with Bob Howard, Assistant Secretary for Information and Technology, and Chief Information Officer at the U.S. Department of Veterans Affairs.

Also joining us in our conversation is Tom Romeo, IBM's general government industry leader.

Bob, given the critical role information technology plays in mission and program delivery, would you give us your view on how the role of the CIO has evolved? But more importantly, what are the characteristics of a successful CIO in the future?

Mr. Howard: As far as being a successful CIO, the ability to lead people and get the most out of your employees I think is very, very critical in any senior position -- whether it's a CIO or a CFO, it simply doesn't matter. That leadership part is absolutely essential, because all of this work gets done by people. People need to be motivated, they need to feel good about what they're doing, they need to be productive and all of that, and that all falls under leadership and the overall management construct.

As far as the characteristics of a CIO, obviously a blend of managerial ability and experience is very, very important, particularly in an organization as complex as the VA; understanding how to deal with all of the various piece-parts and how they're connected together; put systems in place so you're constantly able to monitor all that; and then clearly, as much of a technical background as you can have is clearly beneficial. You know, in my own case, when you look back over my background, I'm really not what you would think of as an IT person. You know, I have sufficient technical background where I'm at least comfortable in the arena. The more a CIO has really good, solid technical credentials, I think you're much better off, providing it doesn't skew so much in that direction that you lose some of the managerial part. It's a good balance. You must have the balance between the technical background and the ability to lead people.

Mr. Romeo: Bob, VA has probably not undergone a change on the scale of the current VA IT realignment since its introduction of the veterans integrated network system, or VISN. With the continued evolution of VA IT, how do you envision VA and its information technology efforts evolving in the next three to five years?

Mr. Howard: Clearly, we need to get the processes I mentioned that we're working on right now. These are very important as we lay those down, and to continue to improve on them. First, put them in place, and we have some in place, but they're not all in place. When they do get firmly embedded, we need to continue to improve on it.

The other thing that we have to continue to improve on are the methods we use to just run and manage our organization. What we basically have with centralization of IT in the VA, we have a very interesting situation from an organizational standpoint. We have people all over the country, and in some cases they're just onesies and twosies -- just small groups of people providing IT support, whether they're in a regional office or a hospital or whatever. Managing those individuals, keeping them current on ongoing initiatives, communicating with them, making sure they know what the procedures are, is very difficult.

Now, we have organized ourselves into regions. You know, we have like regional directors. I just recently established positions, one to handle the Eastern part of the country and one to handle the Western part. So we recognize the span of control issue as a problem, but it'll be difficult to solve that. Continuous communication, ready communication, both up and down, is the key to that. So when I think of how we're going to evolve over the next three to five years, I put that very high on the list.

Obviously, we have a lot of technical initiatives that we have to get finished, and those that really need to get started. We need to upgrade our infrastructure. We've found some problems there that we need to put some focus on. We need to adopt more of a service-oriented architecture in our software development activities.

But more than anything else, we need to improve on the way we communicate with our people in IT as well as our customers, and that's a big challenge right now. It really is. We're using all the methods we can possibly think of to make sure that the folks out there in the field providing IT support on a day-to-day basis know what's going on, know they have ways to communicate with their senior people, and get support when they need it.

Mr. Morales: Now, Bob, you focused a lot on people in our conversation here. And it's been my experience that transformation efforts create new competitive areas and the need for new competencies. To that end, what steps are being taken to attract and maintain a high-quality technical and professional workforce?

Mr. Howard: We have under Development a career development program. In fact, we have an IT career management office underneath my Deputy Assistant Secretary for Resource Management. Recruiting also comes under that particular Deputy Assistant Secretary.

We first began by just trying to outline all of the skill sets that are required in the IT field, and it's quite extensive -- whether it's software development, systems engineering, security, all of that. We have all those skill sets identified, and we're now going through developing particular tracks. What kind of training and education does a person need to move up through a various subfield, if you will. Like take, for example, data security or cybersecurity. You know, what are the things that a young person needs to do to posture his or herself as they move through their career in that area?

We're probably the furthest along in the security arena. We've developed career programs and skill sets. We have a couple of very good training programs, some of which are interactive on the web, others are live training programs. In fact, we've established a training center up in Falling Waters, West Virginia. We've established an intern program in the security arena, where we're hiring young interns to bring them -- because this is a very technical field and an extremely important one.

And the other part about the security area, which is why we've paid a lot of attention to it, the individuals have a difficult job. Sometimes they could be all by themselves at a particular facility in the VA, and so they have to be pretty capable in order to handle themselves in that kind of an environment. So training and education and improving their skill sets is very important, and a lot of work going on in that area.

Mr. Morales: Now, you've clearly had a very successful career within the public service. What advice might you give to someone who's out there thinking about a career in government?

Mr. Howard: Yeah, I would say that quite frankly, the standard approach applies. You know, understand what your job is. Understand who you're doing it for. That's very important, remember who you're working for. In the public service, you may be working for an individual, but you're also working for the American people, because that's what public service is all about.

The other thing that you realize, probably more so in public service, is how our government actually works -- the three branches of government. And particularly, if you're a senior person coming in to the public service for the first time out of maybe the private sector or whatever, you have to have a good understanding of that. In other words, the role of the Congress, the role of the Executive Branch, and how you fit into all of that. Don't get frustrated. These three branches of government were put together deliberately. And democracy is not necessarily an easy kind of government to operate within, but it's sort of like get over it, you know? This is the way our system works. And if you're a senior government official, sometimes you just have to take the heat. But more than anything else, remember that you're responsible to the American people. And from that standpoint, you need to be good stewards of public funds and resources.

A career in public service is rewarding. I will say that, for example, in the VA, you know that we have a very clear mission: to support veterans and all those who have given a great deal to our country. And so -- and I think this is a feeling that is probably universal throughout the VA employees -- that they really do feel a sense of mission in that they're supporting our heroes, American heroes, and there's an awful lot of them, as I mentioned earlier.

Mr. Morales: That's a wonderful perspective, thank you. Unfortunately, we have reached the end of our time. I want to thank you for fitting us into your busy schedule, but more importantly, Tom and I would like to thank you for your dedicated service to our country, especially to our veterans.

Mr. Howard: Well, I really appreciate the opportunity to be here with you today. I will say, just to kind of wrap it up, that we have a very aggressive initiative going on in the VA with IT, robust activity. We've got a lot of high-energy folks engaged in this, all working very hard to make IT within the VA a lot better than it has been in the past. With that said, we've got a lot of work to do, but everybody needs to know they've got some highly dedicated employees, almost 7,000 of them out there, trying to make this work, and some of them with very difficult jobs, but they got a good positive attitude. And again, more than anything else, they know who they're ultimately supporting, and that's the veterans.

Mr. Morales: That's great.

This has been The Business of Government Hour, featuring a conversation with Bob Howard, Assistant Secretary for Information and Technology, and Chief Information Officer at the U.S. Department of Veterans Affairs.

My co host has been Tom Romeo, IBM's general government industry leader.

As you enjoy the rest of your day, please take time to remember the men and women of our armed and civil services abroad who may not be able to hear this morning's show on how we're improving their government, but who deserve our unconditional respect and support.

For The Business of Government Hour, I'm Albert Morales. Thank you for listening.

Announcer: This has been The Business of Government Hour. Be sure to join us every Saturday at 9:00 a.m., and visit us on the web at There, you can learn more about our programs and get a transcript of today's conversation.

Until next week, it's

* * * * *

William Gray interview

Friday, September 17th, 2004 - 20:00
"Modernizing the disability benefits process enables us to move from a paper to an electronic environment. We eliminate mailing, filing, and storing paper and focus on having information available to decision makers at the right time."
Radio show date: 
Sat, 09/18/2004
Intro text: 
William Gray
Magazine profile: 
Complete transcript: 
Friday, August 13, 2004

Arlington, Virginia

Mr. Lawrence: Good morning and welcome to The Business of Government Hour. I'm Paul Lawrence, partner in charge of The IBM Center for The Business of Government. We created the Center in 1998 to encourage discussion and research into new approaches to improving government effectiveness. You can find out more about the Center by visiting us on the web at

The Business of Government Hour features a conversation about management with a government executive who is changing the way government does business. Our special guest this morning is Bill Gray, Deputy Commissioner of Systems at the Social Security Administration.

Good morning, Bill.

Mr. Gray: Good morning, Paul. How are you doing?

Mr. Lawrence: Great, thank you. And also joining us in our conversation from IBM is Greg Greben.

Good morning, Greg.

Mr. Greben: Good morning.

Mr. Lawrence: Well, Bill, let's start by sort of learning more about the Social Security Administration. Could you give us a sort of historical background and talk to us about its mission?

Mr. Gray: Okay. Well, Social Security, as a lot of people know, started back in 1937 under the Roosevelt Administration, when people were going through the Depression, and they wanted to have a guarantee that people who reached their retirement years had a floor of income that they could count on. And so Social Security was formed really to make sure as people reached the retirement age, they'd be able to support themselves throughout their retirement years.

Mr. Lawrence: Most people don't realize the size of Social Security and the number of people who work there. I'm curious, could you give us a sense of the size of SSA, and perhaps more importantly, the types of skills of the people who work there?

Mr. Gray: Well, Social Security has about 65,000 employees and it's a very diverse organization. First of all, we have about 45,000 employees that work in one of our 1,400 field offices that are in almost every community across the country. And the employees in these offices serve any American citizen that comes in, has a question, needs to file for benefits, needs to change something on their records. We also have a number of other positions that support them. We have about 19,000 employees that work that are not federal employees, but state employees, that work in the states that make the medical decisions, so that if somebody comes and files for disability benefits, these employees determine whether they meet SSA's medical requirements.

In addition to that, we have a number of employees throughout the country and throughout the Agency that provide support. I have -- working in Systems, I have people that develop new systems who are requirements writers. I have network engineers. I have a number of IT professionals. We have lawyers. We have judges that if somebody files an appeal because they disagree with one of the decisions that was made, a judge can hear them. We have people who are accountants who work on Space and Budget. So it's just a very diverse organization.

Mr. Greben: Can you explain SSA's interaction and relationships with other federal departments and agencies?

Mr. Gray: Well, Greg, SSA used to be a part of Health and Human Services. And about nine years ago, we became an independent agency, and Social Security now reports directly to the President. It's part of the Executive Branch. We work very closely with a number of other federal agencies: IRS, because obviously there's a connection between collecting income taxes and collecting Social Security taxes; with the Center for Medicaid and Medicare Services, because Social Security signs people up for Medicare, they collect the premiums, and they oftentimes answer questions for people. We work closely with the Veterans Administration; many disabled veterans are eligible for Social Security benefits as well. So with a number of federal agencies throughout the government, we work very closely.

Mr. Greben: Bill, can you talk to us about your specific responsibilities and duties as the Deputy Commissioner of Systems?

Mr. Gray: Well, as the Deputy Commissioner for Systems, we really have a very large centralized systems organization that manages all of the information technology at Social Security. We have one of the largest data centers in the world; that we process about 45 million transactions a day. We build a lot of our own software, so we have a good number of software developers. And we're responsible for getting and overseeing the installation of new workstations, new servers, telephones, managing the telecommunications network, the 800 number network. So just a wide array of responsibilities.

Mr. Greben: And can you talk to us a bit about prior experiences before becoming Deputy Commissioner of Systems?

Mr. Gray: I started out in Social Security about 28 years ago as a claims representative in Sandusky, Ohio, one of the 1,400 offices that I had mentioned before. And in that role, I would people would come, I'd talk to people that needed to file for benefits or had questions, and I'd try to answer those questions. I moved up through the management ranks. I was a supervisor, a staff assistant in Chicago.

And in 1985, in January of '85, Social Security was just starting to move into bringing systems online, giving end users in the field offices the ability to take applications through CICS online. And I came in on a detail at that time to supervise an office that was composed of people from the field that were testing these new systems before they were released to make sure that they met the end users' requirements. Since that time, I've worked in a number of different jobs representing the end users in all systems development, making sure that their voice was heard at the table.

And about four years ago, I actually moved out of operations into the systems organization itself. I came in first of all as Assistant Deputy Commissioner and then, about two years ago, I took over in charge of systems as the Deputy Commissioner.

Mr. Lawrence: As you think about your career, is there any one experience where you shifted from being sort of a worker, a doer, to realizing you were interested in being part of management?

Mr. Gray: I think when I first became a supervisor, that was the point at which I kind of made that shift there where you moved into management. And I think that that's always for anybody, that's kind of a difficult shift. I think that all of a sudden you're responsible for things, you're trying to -- you move from doing work yourself to try to motivate other people to do the work for you. And so those are a set of skills that I think we all need to learn as we make that transition.

Mr. Lawrence: You've talked a lot about your experiences, and what I've noticed is that you've remained with the Social Security Administration the entire time. What's kept you in public service, or perhaps you've been attracted into the private sector, but said no? What's kept you?

Mr. Gray: Well, first of all, I love being in public service. It's the -- I think it's the mission of the Agency. I think that coming to work and doing things that you think improve the lives of everyday American citizens, I think that's what really motivates me. And I think Social Security is a wonderful place to work. And what I try to tell my folks is keep your eye focused on service. That's why we're here, and keep your eye focused on that despite all the other, you know, distractions you have in your day-to-day work lives.

Mr. Lawrence: You're a leader of a very large team because of the size of the systems you do. What are the kind of skills you use to sort of stay in touch with the team? I think people often talk about the need for leaders to communicate, so I'm curious how you do that with such a large team.

Mr. Gray: Well, there's a lot of ways that you do it, and I think communication is absolutely vital. I think the first step is that you have to know where you're going. You have to have a vision of where you're going. And so I try to get a lot of input from people to try to form the vision, make sure people know the direction that we should go. And then I spend a lot of time just going out and talking to people over and over again about the directions we're going and why we're going into those directions.

I have weekly meetings with a division. And so it's a different division and systems every week, and it's the employees all the way up from the clerical staff to the managers, and we talk about any issues that people have on their mind. I spend a lot of time not only communicating within Systems and telling people where we're going, but going out to the various offices across the country and making sure the people that we serve and support understand where we're going and why we're going in those directions; and if they have issues and concerns, making sure I understand these so that we can try to address them in our systems development.

Mr. Lawrence: What's your perspective on the speed by which decisions are made in the public sector? For example, we often talk to a lot of people who joined government coming from the private sector late in their career and they are surprised at how slow it is compared to some of the decision-making based on the private sector; others are not because they think it's comparable; large organizations being large organizations. I'm curious of your perspective on that.

Mr. Gray: Well, I think that obviously, there's lots of regulations that you have in government that you have to follow in going forward, and that can slow down the decision-making process. But I also think that if you're adept at understanding how to manage through those regulations, you can make decisions quickly. I think at Social Security for the most part, we're able to do that and put ourselves in a good position.

Mr. Lawrence: You've been there a long time and you've seen lots of different leaders of the organization. I'm curious if you could describe for us what you think the characteristics of a good leader are.

Mr. Gray: I think somebody who, first of all, has a vision; somebody who can communicate that vision; somebody that listens to the people around them and is able to make sure that they really reflect people's concerns and try to address those concerns. And I think the most important characteristic is integrity. I think all of us in our jobs, really the only thing we have that people can rely on is our word, and if you don't have integrity and your word doesn't mean what it should mean, you're not able to do business effectively.

Mr. Lawrence: Interesting point.

One of the major programs of the Social Security Administration involves disability benefits. What are the plans to modernize how these are provided? We'll ask Bill Gray of the Social Security Administration to tell us more about these when The Business of Government Hour returns.


Mr. Lawrence: Welcome back to The Business of Government Hour. I'm Paul Lawrence, and today's conversation is with Bill Gray, Deputy Commissioner of Systems at the Social Security Administration.

And joining us in our conversation also is Greg Greben.

Well, Bill, in the first segment, you talked about the broad responsibilities of the Social Security Administration. Could you talk to us more about the programs that SSA is responsible for administering?

Mr. Gray: Sure, Paul. I think, as most people know, Social Security is very large. We actually pay 47 million people benefit checks every month, and we pay about $40 billion in benefits every year, and we're a mainstay of the American economy. We administer many programs, but Social Security is really a lifetime relationship with the American citizen. It starts when you're born. You get a Social Security card. When your hospital sends in to get your birth certificate, we're also sent an application for you to get a Social Security card at the same time. We issue about 18 million Social Security cards every year.

When you go to work, we start with you trying to make sure that the wages that you're paying Social Security taxes are correctly accredited to your record so that when it gets time for you to file for benefits, we're paying you the correct amount. When you retire or you become disabled, you can file for benefits with us, and we'll assure that you're entitled and then begin sending you a monthly check. And then if something should happen and you die, your survivors may be entitled to benefits on your record.

We also administer a poverty program supplemental security income for people who are aged, over age 65, or disabled that meet certain income levels and resource levels that would entitle them to benefits from us. So we administer a wide array of programs at Social Security.

Mr. Greben: You spoke of programs that pay disability benefits. I understand there is a modernization program underway in this area. Can you tell us more about this initiative?

Mr. Gray: Sure. Before the modernization program, essentially what Social Security did was to pay disability benefits or determine if you met the eligibility requirements for disability. We had a paper folder. So you would come in to file, we would collect your information about why you were disabled, your allegations as to your medical condition. We'd collect all of that on paper and begin creating that paper folder. And then we would ship that paper folder off to the state that I mentioned before, the state agency, and they would get more information from the doctors and from the hospitals to determine whether you were disabled or not, and create more paper in that paper folder. And then make decisions and document their decisions in the paper folder. And if you appealed the decision, you would take that paper folder and send it off to another office, a hearings office, where you would get -- you would be able to have a hearing in front of an administrative law judge. But everything revolved around that paper folder.

The idea behind modernizing the disability process was to move from paper into an electronic environment. And what that meant was that from the point that somebody files until the point at which a decision is made at the hearings level, we ought to do that electronically and process it paperlessly. And that means that people can now file over the Internet. As a matter of fact, 75,000 people so far have filed over the Internet, and 97 percent of them rate their experiences good, very good, or excellent. Almost all of them in excellent.

We've had 5.5 million claims filed in field offices. When someone comes in or someone calls us on the phone, we collect that information electronically. We have an electronic folder so that if we go out and request for information from a doctor or hospital, they can send it to us electronically. If their records are on paper, we'll scan it and make it electronic, and then store that in an electronic folder.

And then at the hearings level, we've built an electronic case processing system that our hearings offices use to manage the hearings and make sure they can schedule them appropriately and control the decisions that are made.

Mr. Greben: Can you speak to some of the specific business drivers that launched this effort?

Mr. Gray: I think the biggest business driver we had was that the service that we were offering just was inadequate. If you actually filed for disability benefits with the Social Security Administration and you were denied and you went through all the levels of appeal, it could take you well over two years to get through the entire process. If you're sick, that's just way too long for someone to have to go through. And so our idea was if we can keep this electronic, we can cut out all of those steps that paper requires: mailing steps, filing and storing paper, retrieving folders. Oftentimes we'd lose a folder; you have to recreate it. With an electronic environment, all of those things are lost, and you can really focus on the business of the agency, which is having the information available to the person that needs to be making the decision at the right time.

Mr. Greben: Do you have goals in mind, Bill, for the performance level you're trying to achieve?

Mr. Gray: Yeah, we think that we can cut out well over 100 days out of this process. And the 100 days that we want to cut out, primarily we're looking to try to cut out most of those at the front end, because if you think about the way that Social Security works, 100 percent of the people file for disability, right, about half of them are approved at the initial level. Well, then, 50 percent go on and file an appeal and, you know, as the process goes, more and more people are winnowed out. So if we can save time more at the front end, you really benefit more people and they get much faster service.

Mr. Lawrence: Can you take us through the timeline for this program? I mean, you described something that seemed pretty straightforward and easy to understand the benefits when you consider the paper going back and forth and the time. I'm just curious sort of, you know, how did this come to be from the time people began to envision the need for change to the actual implementation? Could you take us through the steps?

Mr. Gray: Well, Social Security, first of all, for -- has been trying to look at the modernization of the disability program for a long time, and we had had previous efforts that, frankly, had failed, they hadn't worked. And so we had on the books an effort that would have taken us, starting back in January of 2002, would have taken us over seven years to begin the pilots. We looked at that. That just wasn't -- that didn't meet the needs of anybody, you know. We needed to improve the service.

And so we set a goal that we would build the infrastructure, starting in March of 2002, in 22 months, that would allow us to do the things that I just described. And in January of 2004, 22 months later, we did what we said we would do. A partnership with IBM, with their tremendous support, we were able to build that infrastructure that allows us to take a claim electronically and process it paperlessly. We started rolling this out in January of 2004 to states across the country. And by June of 2005, all the states will be up and using this system.

Mr. Lawrence: There must have been a reason why people thought seven years, so when they were told less than two, what was their response? I mean, how did that reconcile?

Mr. Gray: I think at first there was a lot of skepticism, and I mean a lot of skepticism. People said we didn't think that you could do it. We just didn't think it was possible. They looked at prior efforts that had failed and thought we were blowing some smoke there. But the truth of the matter is that we had really taken a look at the state of the technology, we took a look at what it would take to do this, and we told the commissioner who was driving us to improve this disability process as quickly as we could that we could accomplish this in this timeframe if we got all the resources that we need. And she was just instrumental in going out and making sure that we had the resources so that we could achieve the commitments that we were making.

Mr. Greben: Can you speak to other modernization efforts underway at SSA?

Mr. Gray: There's a lot of things that are going on at SSA. First of all, electronic government is a big deal. Trying to put our services up on the Internet is vitally important for Social Security. We face a Baby Boomer population that's aging, that our workloads are increasing. And if people can come to our websites and do business over the Internet themselves without having to talk to a Social Security employee, we can manage these increasing workloads. So if you come to SSA's website today, you can file for retirement, you can file for disability, you can change your address, you can arrange for direct deposit, replace your Medicare card, and numerous other services. If you have a question, we have "frequently asked questions," where people can come and get answers to the common things that they want to know about Social Security and the benefit programs we offer. So we're going to continue to invest our resources in building web services and making the web a robust service delivery channel for Social Security. Right now, most Americans, when they come to talk to Social Security, they do it over the Internet. So we're achieving what we set out to achieve.

Another massive thing that we're undertaking right now is with the new prescription drug legislation that recently passed Congress and was signed by the President. Social Security has an enormous responsibility in implementing that. We're responsible for determining whether someone would be eligible for a subsidy, for example, to help pay for their prescription drug premium. And so we're doing a lot of automation to try to help with that, all the way from getting applications, paper applications that we can scan and use optical character recognition to read, providing Internet applications and new systems for our employees and our field offices and teleservice centers to use. And we have to have all of these ready by May of '05, when we're going to start taking the subsidy applications.

So there's a lot that's going on. In addition, there's several other provisions in the Medicare legislation that I won't go into that we're also responsible for implementing.

Mr. Lawrence: How do you think about access to the Internet? So for example, more than half of the folks who interact already do, but some people won't, either because they don't want to use the Internet or they don't have access. How do you think about that?

Mr. Gray: That's why Social Security has multiple service delivery channels. That's why if you want to do business with Social Security, you can call us on the phone, you can send us a letter, you can walk into a local field office, or you can do business over the Internet. It's your choice, but a lot of people want to do business over the Internet, and I do, you know? When you go out to do business with a company, it's convenient to do it from your home. You don't even have to get dressed; you can do it in your pajamas. And so that's how I want to do business and a lot of people want to, and that works well for use. It helps us and it also provides better service to them. And it allows us to really focus more of our human resources on people that need that kind of support.

Mr. Lawrence: As we've heard, SSA interacts with lots of other government agencies. What are the challenges exchanging information with these other agencies?

We'll ask Bill Gray of the Social Security Administration to tell us about this when The Business of Government Hour returns.


Mr. Lawrence: Welcome back to The Business of Government Hour. I'm Paul Lawrence, and this morning's conversation is with Bill Gray, the Deputy Commissioner of Systems at the Social Security Administration.

And joining us in our conversation is Greg Greben.

Mr. Greben: The paperless disability folder stores a wealth of data in various formats. How do you ensure interoperability between these systems?

Mr. Gray: Well, Greg, that's a real task for us. We have a vast network of various systems, and trying to make sure that they all work together well with the changes that are coming on board is a real challenge. We have at Social Security a very defined process. We have an architectural review board, which is composed of experts, systems experts, in the Agency. And any new system that's going to be implemented has to go through the architectural review board, and people look at the design of it and make sure that it will fit in, before it's even built, that it'll fit in with our architecture. We also do a lot of testing of systems as they're going through the development cycles to make sure they really do work well and that they interoperate.

With the paperless disability system, though, the challenge was even greater. And we were really fortunate. IBM has been a terrific partner in this process. They opened up their labs in California, at Santa Teresa, to really helping us look at how we could architect this, because it was a real challenge for us with the volumes of data that we expected to come in to make sure that they work in our environment. They opened up their labs. They worked with us. They helped us with the design. It was a real benefit to us. And they helped us with the testing at every step of the way as we've gone through.

In addition to that, in Social Security itself, we knew from the beginning, and I told you I had asked the commissioner for additional resources, we knew from the beginning that many of those resources, as a matter of fact about $20 million, needed to be spent on building improved testing labs at Social Security, so that as we had this new process come through, we could make sure that we could iron out the bugs and test these things thoroughly before any user actually used it in production. Those things have worked real well for us.

The systems that we've fielded have been stable, they've been available, and performance has been very good. So I think that this is a real formula for success at Social Security.

Mr. Lawrence: As you've taken us through the process, I've heard you describe interactions with other agencies, medical professionals, disability claim examiners, and probably some others I don't quite know. What challenges are presented when you exchange information between these different users, and how do you overcome them?

Mr. Gray: Well, first of all, you know, every user, a medical professional, another federal agency, they all have their own IT environment, and you have to be able to exchange information using the technologies that they have that they're going to be sending it to you with. And so the first thing that you have to do is make sure that if you're asking for information, you're giving them an easy way to interact with you. And so we focus a lot of attention on providing different options to people to get information to us so that they really can do it in a way that's most conducive to the business that they have.

We also have to ensure that privacy and security is protected throughout this. Social Security focuses an enormous amount of attention, and we are one of the highest, if not the highest, rated government agency in security and in privacy. And that's because we focus so much attention on it and make sure that as people send us information, no one else could possibly get to that information as it comes through that's not authorized to do that.

We also have -- with the disability modernization, we had a particular challenge because, as you know, there were new regulations that were being sent out to the medical community, the Health Insurance Portability Act. And a lot of the medical community didn't quite know how that applied to them, and they didn't know what that would mean to them as they started to exchange information with Social Security electronically. And so one of the things that the Commissioner of Social Security did was to start to have regular meetings with the professional associations that represent the medical community: American Medical Association, Psychiatric Association, dozens of these kinds of professional organizations. And we invited the people who were in charge of the Health Insurance Portability Act regulations to come and talk about where Social Security was going and what that meant to the medical community. And I think by doing that, we've been able to ease a lot of the concerns and fears that people had in doing business with us. So it's been a real effort, but we've undertaken it and I think we're being real successful.

Mr. Greben: Disability program modernization marks a major transformation in the way SSA has operated over the last 70 years. You've talked a great deal about the technology challenges. What additional steps are being taken to ensure employees have the proper infrastructure, training, motivation, et cetera, to make this program a success?

Mr. Gray: You know, that's really the biggest challenge we face of all of this. The technology, all of this, the real challenge is the business changes that were taking place. People have worked and used a paper folder for 70 years in this agency and for seven months, we've asked people to start using an electronic folder and to try to get used to working in that environment. And techniques that people used -- to paper clip documents, to put sticky notes on them, or annotate certain things in a paper folder -- they need to know how to translate those skills into an electronic folder.

So we've spent a lot of time, first of all, developing documentation and training to focus on that. Then we test the training, and as people give us feedback, we improve it. All of the systems that we use are piloted before they ever are released into a wider audience in a limited environment. We just last week, in Chicago, had a nationwide conference where we brought people from all the states together. And the people who had been using the electronic folder talked about their experiences, their best practices, lessons learned to share with people who'd be seeing this coming down the road over the next few months. There's a number of things that we do to try to get the user community comfortable in working in this electronic environment.

Mr. Greben: So what have you seen to date? Are there measurable successes? Have you seen improved service delivery, cost savings? What have you noticed?

Mr. Gray: We have. It's early, still early in the process. But just for example, in 2003, as a result of some of the early initiatives that took place, average processing time went down seven days. So we were seven days faster in processing the average claim. We are getting a lot of information now electronically in the states directly from the medical vendors. And in one of our states, in Mississippi, where they put a particular emphasis on this, about 40 percent of their medical evidence is coming in directly and electronically from the medical community. Their average time to receive medical evidence dropped from 22 days in January to 14 days in June; significant time if you're trying to make a medical decision. So we're seeing some of the early successes that we expected to see, and I think we're right on target with where we need to go.

Mr. Lawrence: You've talked about a large-scale transformation project. Could you take us through some of the management challenges? You talked about needing more resources, and you got those, I understand that. But take us through some of the people issues.

Mr. Gray: I think some of the people issues were really, in the transformation, was trying to, first of all, make sure -- there was a lot of fear when they heard about a new system would be coming. When we announced that in 22 months we were going to build this infrastructure, the first people issue you faced was skepticism and fear that we would build something that wouldn't meet their needs.

One of the things that we needed to focus on was that we wouldn't build this in a vacuum, that we needed to bring the user community in. And we were building the system for them, none of us would ever use it; it would be the people out there. And so we needed to have them at the table with us every step of the way as we designed and built these systems. And so we did. We had an enormous amount of people coming in from across the country. We did a lot of piloting of these new systems before we ever released them.

Then what happened is that we found that as we put this out, we'd go and do training for folks, right, and they'd be excited and start to use these new systems, but about a month or so down the road, people would still be a little bit sketchy. You know, they would have learned all the things in the pilot, but that's a lot of information to give somebody up front in the training. So what we found is that you had to go back and you had to, you know, sit down with people again. And people would tell you, well, I'm frustrated because I can't do this. They wouldn't necessarily realize that you could do this; they just hadn't necessarily picked it up in the training. So a lot of this was going back and giving people that next level of skill so that they were more adept at using the electronic folder.

And then we've worked a lot internally in Social Security and with IBM; that as users made recommendations for how we could make improvements, to go about getting those improvements made quickly. And I think that had a real impact on morale that people could see that they'd make a suggestion and, a few weeks later, that suggestion would be implemented and it would improve the process.

Mr. Lawrence: How about the people who actually worked on the project, perhaps mostly from your team? I noticed the following dilemma, which is the best performers have day jobs. An interesting new project comes along and you're stuck on a dilemma, you'd like to have the best performers to do this, but they also have another job. How did you staff this project?

Mr. Gray: Well, the first thing that we needed was we had gone through a reorganization in Systems when I took over in 2002. The first thing that I did was reorganize Systems so that previously, we had an organization that did software development, we had an organization that wrote requirements, we had an organization that built management information, and various other organizations. And the problem was that if you wanted to build a new system, you had to go through all these organizations, and the organization that had the fewest resources was the one that you were going to be stuck with; that was where you were going to be targeted to.

So we decided instead to organize around a project. If you were going to build disability programs, all of those resources would be put in one organization, and that's what we did. So that helped get the people together that would be building the different initiatives. If you were building web-based applications, that was in one organization; building disability applications was in a different organization. If you were building retirement applications, it was in a different organization.

The next thing we did was that we knew we had to increase the staff of the people that would be building these disability applications, so we did a posting and asked people to volunteer to come over. And we got lots of people that volunteered and we tried to accommodate them, moving them on into these organizations, and, in many cases, we back-filled behind them, so you hire new people to come in behind them. And that transition had to be managed carefully for the reasons that you mentioned before, Paul; that, you know, you just can't denude organizations that have other responsibilities.

But I think that really what you started to see is that even within Systems, within our organization, people thought this challenge of building something in 22 months, they were skeptical of it. This was a huge challenge. But as you had success after success, people could see this coming together. You had more and more morale-building, more and more motivation, and people were really pleased with the success they'd had.

Mr. Lawrence: That's a fascinating point, especially about the people.

How will SSA continue to transform and modernize as we look out to the future? We'll ask Bill Gray of the Social Security Administration to give us his perspective when The Business of Government Hour returns.


Mr. Lawrence: Welcome back to The Business of Government Hour. I'm Paul Lawrence, and this morning's conversation is with Bill Gray. Bill's the Deputy Commissioner of Systems at the Social Security Administration.

Also joining us in our conversation is Greg Greben.

Well, Bill, earlier you talked about the fact that the SSA had attempted a large transformation project in the '90s, and I'm curious: what lessons were learned from that experience and how they were incorporated into your recent success?

Mr. Gray: I think we learned a lot of lessons. I think that the first lesson that we learned was that the technology that we had been trying in the '90s really wasn't conducive to where we wanted to go. We had been trying client server technology to build this as a platform on. The result was that any change you had to make, you had to download to workstations and servers in a variety of locations. It just became too difficult for us to manage.

When we moved ahead with this initiative, we relied on web-based technology. It really reached its maturity, so it was something that we could rely on. Working with IBM, we worked on things like content manager to the mainframe, so instead of having to build large server firms, we could actually store this massive amount of data or process this massive amount of data on our mainframe computers that are very reliable and that we're used to working with. So I think the technology itself was just an improvement and gave us the foundation for our success.

The second lesson that we learned is that you really needed to bring the user community and have a strong user voice into where we were going. We were changing people's business processes, we were changing their lives, and they felt much more comfortable if they were part of that process. And so we spent a long time and an enormous amount of effort and resources on getting that user voice into our development activities.

The third thing that we learned is that we needed to do better testing up front. In our prior efforts, we didn't necessarily have the testing labs. And oftentimes, the first line of defense was the user using it in production. And obviously, the reaction of people was going to be pretty negative to that as they had to encounter those problems and work through them right up front when they were trying to deal with the American public. So we spent our resources building labs so that we could test what we needed to test before somebody started using it out in the real-life environment. I think those three things really contributed to our success.

Mr. Greben: The Commissioner of SSA is pushing for innovation and continued modernization of SSA's records. Where do you think the future will take you?

Mr. Gray: I think the future is going to take us into really moving completely into an electronic environment. We've talked today so far a lot about disability, right? And with disability, we're building electronic folders and we're not going to be keeping the paper. And by June of next year, we hope to bring up a similar system to really handle the additional claims workloads that Social Security has so that we're no longer storing paper.

I tell people, you know, that for 70 years, everything that Social Security has done has really revolved around a paper folder. You have to have somebody to create that folder. You have somebody manage it, going and pulling it and giving it back to the people that can do the work, spend an enormous amount of resources mailing those paper folders around. Only the person that has the paper folder can do the work. And then when we get all finished with it, then you go and store it in a cave so that we can retrieve it for the next seven to ten years if we need to retrieve it. Well, I think what you're seeing Social Security do is start to come out of those caves and really move into an electronic environment, and that you'll see that happening very quickly, and that's what the Commissioner is driving us to do.

Mr. Greben: Are there additional challenges that SSA will face in the future?

Mr. Gray: I think the biggest challenge that Social Security faces is one that I think everybody is very familiar with, and that's the aging Baby Boom population and what that's going to mean to Social Security in a variety of ways. I think people are real familiar with the financial challenges that that poses and the solvency of the program. And people are focused on trying to resolve those issues, but it also has an enormous impact on our workloads. People -- the Baby Boomers right now are reaching their disability years. And one of the business drivers in modernizing disability was trying to deal with this workload that's increasing because the Baby Boomers are reaching those years. Very soon, they're going to start to move into their retirement years. And so our challenge is to find ways to effectively provide service to an increasing population of users without having to have enormous increases in our staff, which in these times of tight government budgets just aren't going to happen. And that's why when I described before what we're doing on the web and the Internet, that's why that's so important to us.

Mr. Greben: How do you envision the government will conduct transactions across other federal agencies, state and local governments, et cetera?

Mr. Gray: I think it's going to be different, you know? I think that, you know, traditionally and in our current environments, people think of dealing with Veterans Administration or dealing with Social Security or with IRS as independent agencies, and I think really the American citizen doesn't want to deal with individual agencies. They want to deal with the federal government and they want to know all the benefits that they might be entitled to, and they don't have to go to various agencies to find what those are. They want to have one application so they don't have to apply if they're entitled to three different kinds of benefits, they don't have to apply at three different places for them.

I think that we need to be able to exchange information so that if somebody comes to get a driver's license or we have a homeland security issue, we can make sure that people are who they say they are in those. So I think that what you're going to find is a more common, outward-facing government face. And I think that increasingly working together with other federal agencies and, you know, Office of Management and Budget, we're starting to do that; we're starting to combine benefit applications, combine questions, you know, that people can get answers to. And I think that you're also seeing that more and more information is being shared so that people have more accurate benefits and that we have a better and more secure environment for the United States.

Mr. Lawrence: Bill, in the first segment, you took us through your long career in public service, and you also talked about how much you enjoyed it, and you've been there. So I'm curious, what advice would you give somebody interested in joining government?

Mr. Gray: I guess my first piece of advice is it's a great place to work. I mean, I would really encourage people to come and work for the government. I think the mission makes it a particularly important place to work. I think people feel a lot of satisfaction with coming to work every day. I know that I think about when I come to work, and I know my colleagues do, that it's their neighbors and their families and their friends that you're actually serving, and it's a very personal relationship between what you're doing and how you're helping the American public.

And so I think the advice that I would give is that it's a good place to come, come work here. I think that people often have a perception, a misperception, that government employees don't work hard. I think that they would be disabused of that notion if they came. I think people are very dedicated and work very hard, and so you can expect a lot of challenges and a lot of opportunities. And I think that the one thing that I always tell my staff is to keep your eye focused on service, that's why you're here.

Mr. Lawrence: Bill, that'll have to be our last question. Greg and I want to thank you for squeezing us into your busy schedule and being with us this morning.

Mr. Gray: Great, thank you, Paul. It's great to be here. Anybody that's listening, I would encourage you that if you want to do business, visit us at We have a variety of services up there and questions that can be answered. I think you'll find it a very good website.

Mr. Lawrence: Thanks, Bill. This has been The Business of Government Hour, featuring a conversation with Bill Gray, Deputy Commissioner of Systems at the Social Security Administration.

Be sure and visit us on the web at There, you can learn more about our programs and research into new approaches to improving government effectiveness, and you can also get a transcript of today's very interesting conversation. Once again, that's

This is Paul Lawrence. Thank you for listening.