Federal IT has proven its value as the vital lifeline between government and citizen service during the COVID-19 pandemic. MeriTalk is chronicling the untold stories of how Federal IT is getting the job done – and lessons for the road to recovery. Our latest chapter of CIO Crossroads explores IT operations at the Department of Education.
Timely Modernization Clinches ‘Team Education’ Pandemic Performance
The Education Department’s reach into all corners of the American landscape is rivaled by few Federal agencies. And its mission – fostering educational excellence and ensuring equal access so that all students can reach their highest potential – helps form the very foundation of the country’s future.
Executing on that mission relies on policy making, relationships with thousands of educational systems, and distribution of billions in financial assistance. When the coronavirus pandemic roared onto the national landscape in mid-semester and forced schools to take online cover, the stakes could not have been higher.
In an exclusive interview with MeriTalk, Education Department CIO Jason Gray explains how the agency aced the pandemic test by leveraging the fruit of an IT modernization push that began in 2017. Those efforts allowed the agency to move to 100 percent telework in a matter of days and distribute $31 billion of stimulus funding over a period of weeks.
Along the way, the agency undertook a dramatic VPN capacity expansion, upgraded key cloud hosting infrastructure over a weekend, reworked Multi-Factor Authentication (MFA) systems in less than a week to onboard several hundred new employees, and notched a six-fold increase in online collaboration tools use. We invited Gray to school us on how his team did it.
MeriTalk: Can you provide some metrics to illustrate the success of your work during the pandemic that tie to the Education Department’s missions? What’s the story of the last four months by the numbers?
Gray: Our IT organization is focused on service delivery to enable people to accomplish their mission. Prior to the pandemic, we were averaging 20 to 25 percent VPN utilization for the whole department. Now, after COVID hit and we moved to 100 percent telework, we are in the upper 90 percent range for VPN utilization. That was a massive jump, and it literally happened over a weekend.
But all of the buildup to accomplish that was years in the making. In 2017 we worked very hard on our modernization strategy, roadmap, and plan. We started executing that plan in May of last year, and we finished a massive modernization effort that allowed us to adapt very quickly this year.
In a few short weeks during the pandemic, the department was able to send out close to $31 billion of stimulus funding, all while working 100 percent remotely. The department was prepared to continue its mission, regardless of whether employees were in the office or not.
Our use of online collaboration tools prior to the pandemic averaged around 60,000 calls per month. Now we are averaging over 370,000 calls per month. We have also been able to onboard new employees during the shutdown, and we were able to come up with a solution for that very quickly. I am very proud of the team for being able to do so.
The rapid transition of our team – meaning Team Education – to a 100 percent remote environment is pretty significant.
MeriTalk: Can you share some details about managing the VPN capacity?
Gray: We have not only doubled the capacity that we could have from a VPN, but also have ensured that we have a fault tolerance which would actually triple our VPN capacity. We have multiple sites that are providing our VPN services, and the team has done a great job ensuring that if one of those sites goes down, we could still provide VPN services to the department.
MeriTalk: What are a couple of the largest priorities that you had during the pandemic, and what are some of the largest successes?
Gray: One of our priorities is collaboration with the education community and institutions of higher education. We didn’t want to reinvent the wheel; we wanted to figure out how to engage with committees and workgroups that they already have established. My team focused on cybersecurity. Operationally, we looked how to share best practices and threat intelligence. Those relationships will continue to blossom.
Another priority has been to implement an alternate MFA mechanism to be able to onboard employees who did not have a Personal Identity Verification (PIV) card. That could take three months to implement, but I had a great conversation with my team and said, “Hey, three months is not going to work because in two weeks, we’re going to be onboarding new people who will not have PIV cards, and we need a solution.” Within five days – counting the weekend – the team was able to come up with a solution that complied with our cybersecurity requirements. In the last 15 weeks, the department has been able to onboard over 300 new staff.
And then a few weeks ago, we needed to upgrade our cloud infrastructure. At the Department of Education, we’re 100 percent cloud but one of our key cloud service providers needed to upgrade one of our core hosting sites that has close to 700 servers. All of the supporting infrastructure – the bandwidth, the CPU, the processing power, the storage, as well as numerous security enhancements – was done over a weekend. In a non-cloud environment, there’s no way you could do that in a weekend, unless you had a massive amount of resources and people. I’m really, really proud of the team for being able to do something so massive in such a short amount of time that was 100 percent successful, with no issues.
MeriTalk: There are a lot of options for collaboration tools. Is there anything you’re standardizing on, or maybe having a second option in case something goes wrong?
Gray: We are standardized on two, Skype and Teams, although Skype eventually is going to be replaced by Teams. But we’ve piloted Zoom. I’m very impressed with it as well. We’re very interested in Zoom because a lot of the education community uses it, and we want to make sure we can participate on the platforms that people are using. We also want to make sure we’re not paying for redundant capabilities. I wouldn’t look at expanding beyond there, because we want to be good stewards of taxpayer dollars, and the more we have, the more we need to secure.
MeriTalk: Are there any special challenges to working with many non-Federal organizations whose technology states may differ from the Education Department’s? Does that cause problems?
Gray: That’s a very complex question, and it gets to the question of what authority does the department have. A lot of the primary concern is about the data that we share with each of the institutions, but we also care about the educational journey of every student. It’s not just about data, but of course we want to make sure that student information is kept secure. That’s why the relationships that we have created – with over 6,000 institutions of higher education and also the groups and NGOs that engage with them – are so important.
The partnership works both ways, so it’s not just the government saying, “Hey, this is what you need to do to protect student data.” We have certain requirements that NIST and FISMA give us, and sharing best practices with [the education community] has been very helpful.
MeriTalk: Can you tell us about particular systems that have worked best and any broader lessons those have yielded?
Gray: One of the greatest lessons is how critical IT modernization is, and planning for that. In 2017, we put together a roadmap for IT modernization – it took a lot of time to understand everything and start figuring out the things that we’re going to do to rationalize and consolidate, and things we can do right away versus longer term. As a result, there’s a plan we’re executing against – actually a 16-foot diagram that maps out exactly what we’re going to do.
In executing the plan, last year we were transitioning off a 12-year-old legacy IT contract. That resulted in the department modernizing and upgrading literally everything – meaning we have no Windows 7 – I believe we were one of the first agencies to transition 100 percent to Windows 10.
It’s really hard to convince people to invest in something new when everything’s working. But we needed to do it exactly for a situation like the pandemic. We need to be ready to not only deliver the services that we deliver today, but also to be able to adapt and adjust to the environment of tomorrow and whatever that brings. A year ago, there’s no way I was thinking that we’re going to be in a global pandemic and everyone’s going to have to be 100 percent telework. And yet here we are.
Supply chain is another important lesson. It’s absolutely critical to make sure you have devices that you can provision. The IT service providers have been great and we’ve been able to get the equipment we need when we need it, but normal just-in-time delivery has been impacted by the pandemic. That’s something I’d probably have done a little bit differently – to have more stock on hand.
MeriTalk: How long did it take Education Department personnel to get up to speed with telework?
Gray: I would say about two days. When suddenly we had to transition to 100 percent telework, my biggest concern was how many people were going to be inundating the help desk. We definitely saw a brief spike in help desk activity. Our average expected speed to answer in our service level agreement is 30 seconds. On day one of telework, our average speed to answer was 55 seconds. By day three our average speed was 14 seconds – and it’s been consistent since then.
MeriTalk: How many people are you supporting at the Department of Education?
Gray: On average, we have 5,000 employees coming into our environment, including contractors.
MeriTalk: The spike in COVID-themed phishing attacks during the pandemic is well known. What’s keeping you up at night regarding cybersecurity threats?
Gray: Cyber is something that we’re always going to be worried about. I think about it every day, and if anything is going to keep me up at night, it is cyber for sure. It’s a constant challenge. I don’t think I would ever say we have our arms around it fully because it will change the moment we feel like we do. We are seeing an increase in the number of SMS attempts or phishing attempts to exploit the pandemic.
Another thing that keeps me up at night is the insider threat. There are different types of insider threat – the inadvertent, the malicious, and then perhaps someone who was compromised unknowingly – which is why education is so important. It’s making sure people understand roles, responsibilities, and what they’re obligated to do. It’s like when you go to the airport: If you see something, say something.
MeriTalk: If you could travel back in time to four months ago with the experience you have today, what advice might you give yourself?
Gray: I would say modernization is absolutely critical, because a significant amount of the department’s success is due to the work that we had done over the last couple of years. If I could rewind, I would also focus on the supply chain and making sure that we had alternatives in play. Another thing I would focus on is over-communicating and letting people know what’s going on. I feel like people take for granted that services are available because we’re used to doing things a certain way. So I would probably end up spending a bit more time making sure that people understand the available technologies.
MeriTalk: Tell us about collaboration within government during the pandemic – information sharing and best practices exchanged both within the CIO Council as well as to your IT teams. Is there any way that could be improved?
Gray: I have been extremely impressed with the collaboration and partnership. Federal CIO Suzette Kent and the CIO Council have been phenomenal, as have our recurring CIO Council meetings. This is something that started before the pandemic hit, but the collaboration in the CIO Council – I have not seen better. It has been great knowing that if I needed something from anyone or if they needed something from me, the relationship was there and you’re not alone trying to figure out how to run things.
When Maria Roat was over at SBA, or with Gundeep Ahluwalia at Labor, or [now retired] Renee Wynn at NASA, or David Shive at GSA – the collaboration and partnership – I’m not sure we could do it better. Even the transparency about challenges and lessons learned. It’s not just the CIO Council – the CISO Council has been the same. My CISO, Steven Hernandez, is the co-chair of the CISO Council. Everyone is partnering together to ensure that the government would have no issues continuing as it relates to cybersecurity, or IT services in general.
MeriTalk: If you take us back to the start of March and what your typical day looked like – how have things changed since then? Do you feel fully entrenched in this “new normal” world now?
Gray: Looking back, it’s about the unknowns, which in IT you’re always going to have. It’s hard to prepare for the unknown, but that’s what we do every day. We’re definitely entrenched in the new way of doing things. From an IT service delivery standpoint, I’m not sure things have changed much. Everyone is leveraging certain services in a different way – like the VPN – and some of the collaboration tools are being used a lot more.
From a people standpoint, it’s been about communicating and making sure people understand it’s okay to have regular work hours. That was something early on that we watched very closely, because I didn’t want to have anyone on my team putting in more time than they should. That’s something I heard in numerous calls, even across government. I think it took some adjusting for people to get used to working at home, but at the end of the day realizing, “It’s okay, you’re not at work anymore.”
MeriTalk: You talked about getting help desk response time down to 14 seconds and rolling out a brand-new MFA solution in five days instead of three months. Are there any other compelling real-world stories of success that you can share?
Gray: I’m not sure I could top doing the complete cloud upgrade over a weekend. That involved a lot of people, system owners, and everyone working to test and validate. It was a remote digital environment, and it was just amazing to see everyone come together to get something done in a weekend that would have normally taken weeks, or even longer.
MeriTalk: Would you like to give any shoutouts to members of your team at the Department of Education or other folks within government?
Gray: The list is really long. Secretary DeVos has always been 100 percent supportive of IT. The deputy secretary, all of the assistant secretaries, and my team. I have an amazing deputy, Ann Kim, and my division directors are amazing. All of the employees; everyone is 100 percent invested in making sure that we provide the best services we can. In the department, you really feel like part of a family. Across government, Suzette Kent has been great, the whole CIO Council has been very responsive.
Even the engagement with the vendor community was awe-inspiring for me. Everyone was focused on “How can we help you?” versus “How can I create business?” I would definitely like to thank the vendor community because it showed the real passion and drive to help not only government but also this country as a whole.
MeriTalk: What do you think might change in government or in society because of the pandemic? What will we do that’s new, and what might we stop doing?
Gray: It’s a little early to tell, but some things that come to my mind are ways that we deliver and receive digital services, and in education, transitioning from an in-class environment to a remote environment. It’s been great to see the various approaches that people are taking – where you have some students in class, some online, and you alternate so that you can maintain social distancing. I think the agility and ability to adopt digital services is going to be absolutely critical.
Digital signatures are an example. Government has really been focused on needing a wet signature. A digital signature that is verifiable is just as good as a wet signature. I hope we’ll never have to go back to wet signatures.
I have been in awe of what the government has been able to do during this pandemic. It has been wonderful to see how efficiently and effectively that preparation and continuity came into play, how modernization came into play, as it relates to being able to adapt to the unexpected. I know that whatever the future brings, my team will be able to handle it because time and time again, we’ve proven that, and I think government as a whole has as well.
MeriTalk: How do you think you and your team are going to function in a world without conferences? How do you envision the future of interacting with industry at trade shows or conferences?
Gray: I think we’ll be fine. I want to share two examples. A couple of months ago, we had our first 100 percent remote all-staff meeting. At the meeting, we talk about the great work that people have done and recognize them. When we do that in person, people applaud and it’s done. What’s really neat in the remote setting is the engagement. When you have everyone clapping – that’s one thing – but the individualized “great job” from 50 people, it gives a very different feeling that you don’t get in a room crowded full of people.
The second example is my high school senior who just went through graduation virtually. It was individualized, with video clips, and people got very creative. They did a bunch of things that in a normal meeting environment and setting you would not be able to see. It gave a much more personalized feel than in a meeting.
I think that the pandemic experience is going to add a more human element and have a very positive effect on the way that we do things. I think we’ll eventually get to the point where people will have in-person meetings. But it’s been wonderful to see how technology has been used to have large meetings, sometimes over a couple thousand people, and still have that feeling of being an active participant.
Read other Federal success stories from the COVID-19 pandemic.