Beating Security and Privacy Concerns to Manage Data at DHS

Security and privacy may be the biggest barriers to federal data management, but modeling data in a lab environment and upskilling employees can help federal agencies work around these barriers.

At an Advancing AI and Data Analytics in the Federal Government Summit hosted by ATARC, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Emergency Management Agency (FEMA) described their strategies for improving data management. The Department of Homeland Security’s unique data domain structure, they said, facilitates more effective data interoperability between DHS components.

FEMA Chief Data Officer Kathleen Kaplan said each DHS component has its own data governance council, and each one reports to one overarching DHS data governance council. This structure encourages cross-organizational work and discussions, she said.

DHS also assigns components to be stewards of different data domains, which helps facilitate common standards for data across the department. CISA, for example, stewards the cybersecurity and infrastructure protection domain across all DHS components, setting the standards for cybersecurity and infrastructure protection data.

Data domains and common data standards help the components manage their own data more efficiently and develop strategies that benefit the entire department.

“There’s right now over 110 systems at FEMA that we’re trying to wrangle and figure out, and what really is an authoritative data source,” she said at the event. “Those kinds of questions are constant on our minds. Having the cross-organizational groups and discussions is extremely helpful all the way around.”

Kaplan and CISA Chief Data Officer Preston Wentz said security and privacy are the biggest barriers to effective data management.

“We want to get the info out there but we’re the government, there are certain rules we need to follow,” Kaplan said. “We’re working the best we can, we work with our lawyers, privacy officers, to try to get as much info out as we can.”

“Be good friends with your lawyers and privacy people, they’re your friends,” Wentz added.

Wentz said CISA works around security and privacy barriers to data management by simulating data concepts in a lab environment, which is a joint project with the DHS Science & Technology Directorate.

The multi-cloud lab, he said, explores artificial intelligence and machine learning to improve CISA’s data management strategy without putting real data at risk for security breaches or privacy infractions.

“Sometimes that’s really hard to do on production networks,” he said at the summit. “We’re pursuing this lab environment so we can prove these things out. Data quality has to come before AI and ML. Data quality is critical — you need to be looking at the data, ask what you’ve got, if it can be trusted. Does it have an assigned data steward, using the most up-to-date data standards? Data quality is so important before you start feeding these assets to these algorithms.”

One of CISA’s biggest challenges is finding new employees with data analytics capabilities. Wentz said the current federal hiring process doesn’t always find the personnel CISA needs. Because of this, Wentz said CISA’s internal culture around data is crucial.

“That’s what I spend most of my time doing, thinking about culture,” he said.

But sometimes you don’t know what you don’t know, which compounds the issue and is a classic hallmark of each federal agency’s data management journey. One thing Kaplan doesn’t know is, who at FEMA can help manage data better?

“We have the major descriptions of staff and we’re trying to figure out, where in FEMA those staff are,” she said. “Who has those skills? Who could’ve coded us something else? We have to find those people that already exist. We tried to make available four hours every pay period of personal development time, [so employees can] get up to speed [on data], and sometimes we just have to throw the people in the deep end and let them figure it out and swim and give them as much guidance as possible.”

For CISA and FEMA, effective data management is a journey and requires open communication for best results.

“We’re all on the same journey … we’re all in different places in that journey and if you’re further back or further ahead please let us know, we can learn from you,” Wentz said.