OPM’s path to green paved by IT security

As the leaves turned brown last fall, Office of Personnel Management IT officials could only think about green.CIO Janet Barnes hoped OPM would become only the second agency to earn a green rating for its e-government work on the President’s Management Agenda scorecard.“We thought we were close, but we didn’t know until the scores came out,” Barnes said.When the Office of Management and Budget recently released the final 2003 scores, OPM had made the grade. Securing its systems, completing its enterprise architecture and shoring up overall IT management gave the office a final push into green.OMB gives major agencies scores of green, yellow or red for their efforts to meet the agenda’s five goals—budget and performance integration, competitive sourcing, e-government, financial performance and human capital—every quarter. Green means an agency has met all standards for success; yellow means it has met some but not all the criteria; and red means there are serious problems.The National Science Foundation earned the first e-government green rating in February 2003.OPM also is one of two agencies that earned either a yellow or green score in all of the management agenda categories. The Energy Department was the other.“These agencies are leading the pack with regard to management improvement and are furthest along to becoming the well managed, results-oriented organizations we want the whole government to become,” OMB deputy director for management Clay Johnson said.What finally put OPM over the top?IT security, said Karen Evans, OMB’s administrator for e-government and IT.“OPM really moved forward with a comprehensive IT security plan,” Evans said. “That is the last major challenge for many agencies.”Barnes said third-party organizations or the agency’s inspector general have certified and accredited nearly 100 percent of the agency’s systems. OPM took a two-pronged approach to meeting the requirement. Barnes said every program office has a designated IT security worker who takes part in monthly meetings.“These people are program people first and security people second,” she said. “They understand the nature of the data, and we are helping them understand the security functions.”At the monthly meetings, Barnes said her office discusses cybersecurity problems and ways to resolve them.OPM’s associate director for management and chief financial officer, Clarence Crawford, also credits the CIO office’s relationship with the IG.“The IG provides insights and assistance to identify areas that we need to improve our IT security,” he said. “They attend the monthly IT security meetings and give us as much of a heads-up as you would want about issues they see.”OPM officials also incorporate the IG’s suggestions into their annual strategic plan.OPM also met OMB’s requirements by completing its enterprise architecture, getting all of its business cases approved by OMB and participating in the 25 e-government initiatives.“We have a solid IT program,” Crawford said. “We’ve had an architecture in place since 1997, and we’ve focused on cost and schedule issues for many years. It hasn’t been like we had to find religion over the last few years.”Besides the security meetings and the IG input, Crawford credited OPM director Kay Coles James for taking an active role in the process.“Director James asked deputy director Dan Blair to support the e-government item on the PMA, and he attended every meeting and was actively involved,” Crawford said. “That made the director’s priorities and commitment to this very clear.”Now that the agency’s made the top grade, OPM officials are looking beyond green.“Green is more of an indication of status than an end goal,” Crawford said. “Getting to green is really nice, but the more important item is you are improving your business processes by getting to green.”