Listen: Education CIO's Modernization Journey Hones in on Security

Listen: Education CIO's Modernization Journey Hones in on Security


Migration project

All articles

All podcasts

(this only appears for logged-in users)

Season: 4
| Episode: 1
The department has been recognized this year for successes in cloud and telework.
Jason Gray, CIO, Department of Education

The Department of Education is undergoing a modernization journey that ramped up when CIO Jason Gray joined in 2016. Gray discusses the progress since then, which resulted in FITARA score improvements, cloud development, pivots during the pandemic and an increasing focus on data security to protect student and financial aid information.

This episode is sponsored by Dell Technologies and Carahsoft.

Amy: Welcome to GovCast - connecting with federal IT's top decision makers. I'm your host, Amy Kluber. We are kicking off Season 4 of GovCast. We spruced it up a bit, taking to account some feedback from you, and also aiming to bring more insights and personal stories from government's top technologists. We hope you enjoy.

The Department of Education has been undergoing a significant IT modernization journey. This year, the agency has been recognized for its significant improvement in its Vitara Scorecard, which we know measures agency's IT management and procurement improvements. And then of course there's its cloud successes. CIO Jason Gray saw its benefits during the current pandemic’s telework pivot. In this episode you'll hear from Jason about where security comes into play and how his efforts are changing how the department works. All this to ensure its mission on protecting student data, coordinate federal aid, and enforce things like privacy and ethics among its other roles. You'll also hear what's ahead in 2021 as the agency continues to build on its IT improvements.

Thank you to episode sponsors Dell Technologies and Carahsoft.

Sponsor: Welcome. I'm Eric Barnes, Director of Citizen Services at Dell Technologies. It's a delight to introduce a leader making significant strides in the education space while in the midst of the ongoing COVID-19 pandemic. Technology has played a major role in the transition in distance learning. Many educational organizations are trying to recreate environments similar to in-school learning where students are the most comfortable. And in many cases, this requires a technology modernization effort. As schools are surmounting these challenges, the Department of Education is embarking on a digital transformation journey of its own, and Dell Technologies is dedicated to supporting them and other education institutions through this transformation. Today we're joined by Jason Gray, CIO at the Department of Education, as he walks us through the Department's accelerated timeline towards digital transformation, and the impact technology has had on the transition to remote learning. Please join me and our partner Carahsoft in welcoming Jason Gray.

Amy: Jason, thanks so much for joining us on GovCast, great to have you today.

Gray: Thank you.

Amy: So what got you interested in IT, and what led you to the Department of Education now?

Gray: So, what got me interested in IT - several things. The one thing I love about IT is, there's always an answer. At the foundational stage, it's a zero or a one, right? There's always a reason, so I love that about technology, that if something isn't working, there's always a reason why. I will share that getting into technology was not my plan, was not thinking about it. Certainly when I was younger, but took a trip to a foreign country where I was there to teach English, got stuck there and ended up getting an offer to, not pay my way back to home but pay my way back to work off my new plane tickets, and in that process was building computer memory, putting the chips and the boards together and soldering and testing, and that I found enjoyable, had a great time to understand how it worked on on a very detailed level structurally, so that kind of got me into it, but I love that there's always an answer, it's never a “we're not sure, we don't know why,” it's “we're not sure, we don't know why yet,” but there's always a reason and always an answer.

Amy: Interesting, so kind of going from teaching english to the IT side, that's not a natural path I guess to IT, which is pretty interesting.

Gray: Yeah, no, and then to get to your second question about, you know why, what led me to education? I will say, I mean as a public servant it's always about, I mean this is the fifth agency I've been at in government, whether it's DoD, Transportation, the Veterans Administration or Department of Navy, it's always about the mission, right? It's about trying to be a positive change maker, a change agent to bring about a positive impact. So to me, it's about missio. When I look at going from DoD, having been in the military, it was, you know, focused on defense, and then transitioning to the Veterans Administration, it's about caring for those who bore the battle, if you will. Transportation was about the various modes of transportation and making sure that there's good roads, so, you know, safe air transportation, so it's all about the mission, and when I look at the Department's mission about promoting student achievement and preparing students for global competitiveness, it's really about the mission.

Amy: That's a fantastic point, and we do hear that, you know, commonly with other CIOs across government is how the CIO really fits into that overall mission. So that kind of leads me to my next question: how does the CIO fit into the education mission? Like what does that look like?

Gray: So yeah, that's a good question. I - it's fascinating, because I will meet with different, you know, vendor communities and they will ask a very similar question or make a proposal for things that literally have nothing to do with anything that me or my team does, so in terms of the role of the CIO, it's a large role, there's a lot of depth and breadth in terms of the responsibilities of my team and me as the CIO as well, but operationally it's making sure that you have devices, whether it's laptops or cell phones or printers or, you know, mice and keyboards and those sorts of things, but that's like a really, really small component. There's also, you know, making sure that, from a governance standpoint, that we're being efficient and effective with how we're spending the appropriated funds that we receive to drive the Department to achieving its mission or accomplishing its mission as we strive for the vision of where we're going, all aligned, which is, it's a rather complex thing to do, but making sure that, you know, when you have hundreds of systems and you have a lot of, you know, hundreds of different requirements and capabilities you need to provide, you need to make sure that, you know, you're overseeing that, but also that your team is, you know, coordinating collaborating with everyone so that we can do that in the most efficient way, where we don't have a lot of duplication or redundancy to the point where we're spending money that we shouldn't be on things that we've already spent on, so it's managing from a governance standpoint, which is why we focused a lot on app and system rationalization, so that we can consolidate down. There's that piece, and of course, certainly, if not the most critical piece, certainly, always one of the top ones and top of mind for me is cyber security, right, is we need to make sure that we're defending and protecting and securing the information and the systems that we have and we're responsible for, because there's unfortunately just a lot of bad actors out there that would have less than honest intentions for the data that we have and that we protect, so it's really, really focused on kind of those types of activities, and then of course the day-to-day interactions about ensuring that we're finding better ways and safer and more secure ways to deliver services to the customers that we have, which in turn also deliver services to the citizen as well, so it's kind of wrapping all of that together while also complying with, you know, laws and, you know, the compliance activities that we have to make sure that we're doing, so it's, there's a lot to it, but it's a great job, absolutely is critical to depend on the relationships that you build with the CXO community, you know, the Chief Acquisition Officer, the CFO, the different leadership across the department, so it's, it's literally, because even in the environment we're in with a pandemic where we, you know, had gone from around 60,000, you know, collaboration calls a month, now we're close to 500,000 calls a month, everything is dependent on technology, so making sure that those relationships are there and the understanding from a business standpoint of what the department needs and making that a reality in a safe and secure fashion.

Amy: There's a lot to unpack there, and I definitely want to get into the security aspect of things in a few minutes, but first I wanted to ask you, you know, you mentioned some of your prior roles in the defense community. Of course, you were in private industry. Is there anything that you learned in some of your prior roles that are applicable now in the current environment at Education?

Gray: Absolutely. I mean it's funny because, whether it was my time in the military, I was in the army, and the structure and the discipline that you learned there, I mean ideally, every single interaction that you have in life should be teaching, right? You should learn something from it. The good experiences, the not so good experiences, you should learn from them, so I would definitely say that every experience I've had, regardless of agency, and actually I, I send out, now they're monthly, they used to be weekly, but I send out monthly hot topics to the team of kind of a, to illustrate some of the lessons learned from different activities or events that go on. I will say that I remember, in one of the agencies I had gone to or worked at, you know, the importance of FISMA and how critical it is, I remember when I got to the Department of Education a little over four and a half years ago, one of the first things I did is had the CISO at the time give a very detailed briefings on exactly what we're doing from a cyber standpoint, but also, you know, so that everyone else would learn the importance and the value and the relevance of what we were doing as it relates to the work that they're doing. But in terms of some of the, the things that I've also learned: relationship management is absolutely critical, and this goes across the board, meaning that as a leader you depend on your team to get stuff done. As you grow in, you know, promotions and responsibility, you realize that, you know, when, when I was young you think, oh great, you know, I'm in charge, I'm responsible for and I have these people who work for me. Well, as you get older and you certainly learn, and I know I've heard this before but, it's not that you have all these people that work for you, it's that you work for all of these people. You're advocating for them, you're supporting them, you're getting them the resources and funding that they need or the tools that they need or the buy-in that they need, so it's really about making sure that you're taking care of your team, because as you continue to grow in, you know, the roles that you have, you get to a point where there's so much work to be done that you as an individual can't get it all done, so you have to depend on others. It's not just your team, but even across when you're at a cabinet level agency, having relationships with the different lines of business or principal offices, as we call them here, or modes of transportation as they called in the Department of Transportation, it's about building those strategic partnerships and, you know, showing and demonstrating the value that you're bringing to the organization as a whole, so in terms of lessons learned, relationship management is absolutely critical, it has to be genuine, it has to be sincere, and you have to take care of your people because without people, you can't get it done, you will not be able to get it done, so that has been critical. One maybe last piece that I know that, when I was at Transportation, became very relevant to me, I was responsible for their IT portfolio, but the importance of governance, and I'm not talking about red tape, what I'm talking about is being able to clearly understand how what you are doing as an organization is aligned with what the organization needs to achieve, and you're doing it in a safe, secure and cost efficient and effective manner. That is absolutely critical.

Amy: Those are fantastic points, and obviously anyone can notice how some of this is shining through in some of the Department's recent IT evolutions, especially this year. A huge part of that is the cloud, you know, if listeners haven't read about that yet, the cloud has been a huge thing even this year for you. How have these efforts impacted how the department operates?

Gray: Yeah, so I will say when I first got to the Department we, the technology was not where it needed to be, there was a lot of work that had been done, so we had a lot of work to do, to improve the performance of some of our systems took a long time to log in and boot up, a lot of it had to do with the environment and circumstances at the time, so in terms of, you know, some of the challenges and changes, I look at cloud, we invested last year heavily in modernization, it was a multi-year plan that was put together shortly after I got to the Department. We started executing it and finished the large transformation in May of last year, and a large part of that, the Department is all cloud now, and we have been, I think we had one environment that was not cloud when it got to the Department, but it had already been scheduled even before I got to the Department to go and transition to the cloud, but modernizing and getting us to the point where it took, you know, 40 seconds to log into your machine, that really enabled us to pivot very quickly when we had to transition to a lot of people working from home. In terms of the cloud itself, part of the modernization effort was doing cloud rationalization, system rationalization, because while a lot of agencies were focused on cloud migration and getting to the cloud, we were already there, and it was more on, how do we consolidate and slim down our footprint, not just from a cost standpoint because you do receive some savings there, but it's more the administrative overhead of managing all of the cloud. But then, another extreme value that we had literally a few months ago, we had to do a tech refresh in our largest cloud environment, in over 700 servers, we were increasing the memory, we're increasing the processing power, we were making some security enhancements, and all of it, for the entire environment, was done over a weekend. In a non-cloud environment, that would have taken weeks if not months to do with, you know, 700-plus servers, hundreds of terabytes of information, but it was all done over a weekend. We wouldn't have been able to do that without the cloud, so the cloud has definitely been a, critical for us in being able to deliver the services we deliver at the Department.

Amy: And you know, all that work is surely paying off. Recently we heard about your Stella Futara score, for example.

Gray: I have been very proud of the team. Futura is absolutely critical, it's been critical since I've been at the Department, it was critical before I got to the Department, the team had a really solid plan, It's something we strive to continue. It is, it is evolving and growing, but yeah, we're, that has certainly been a top of focus element to everything that we're doing because it's really about making sure that, as the Department CIO, that I can speak to the IT and the things that are going on, whether it's cloud, whether it's cost savings and avoidance, whether it's the cyber posture of the Department, you know, there's, there's a lot of different elements that are currently assessed and rated, and the bottom line is Futara is about making sure that not only the CIO understands their responsibility, but that the agency as a whole understands the importance of the position and the role which I have been very fortunate, at the Department of Education, for the entire time I've been here, that has been clearly understood and supported.

Amy: So, now back to that security question. Obviously you just outlined how much it's been a focus of yours, and considering this huge presence in the cloud, you know, that unlocks all kinds of security concerns, especially considering the types of data the department analyzes. Where are you seeing those security priorities heading now?

Gray: So, that's a great question. I mean, security is one of those things that's never done, right? I mean, we have made significant strides in the way that we're securing and protecting and defending the information that we're responsible for. I would say one of the biggest threats, certainly in the four and a half years I've been at the Department, has been more of an insider threat versus external, but again, we have certainly focused on educating our teams, educating the employees on what their roles and responsibilities are, putting policy together to make sure that we have sound policy to hold people accountable, as well as the tools that, you know, we have which are plentiful for sure. But in terms of going forward, my hope is that, as the Department continues to mature, and again if you looked at this year's FISMA audit that just came out, you will see in, in all five of the elements or focus areas or domains of the cyber security framework, we have made improvements in all of the subdomains, which is wonderful. So I know that we're heading in the right direction. It's a challenge, right? Because you've got, we just transitioned to a new environment, we knew there were things that we needed to do but we wanted to make sure that we did them in the new environment versus having to pay twice, you do it in the old environment and then you do it in the new, but the real focus going forward is going to continue to do the work that we're doing, of course, you know, faster and ideally more efficiently to make sure that we're, you know, protecting and securing the data that we have and that we're responsible for. But I would, I know that our CISO is focused a lot on zero trust, there's a lot of work that we're doing in that area, we've got some pretty significant identity credentialing and access management from a program standpoint that is going to continue to strengthen and enhance the cyber security of the Department. Even our Inspector General's report this year showed that we just need to keep doing what we're doing. So a lot of that is going to be focused on that, I definitely don't want to take away the benefits that we'll get with automating a lot of the activities that we have because, you know, some of the challenges is, humans are are fallible, we make mistakes, and any opportunity we have to remove the human element where possible is where I'm going to spend a lot of time focusing on using things like robotic process automation and AI where applicable. Those are some, some of the things that we're going to be focused on heavily, certainly in the coming years.

Amy: Going back to the pandemic that we're currently experiencing, I understand education does not have oversight on anything going on with the virtual schooling nationwide, but you did mention it has a role with the data aspect, the security data aspect. Can you elaborate on that?

Gray: Sure. So a lot of the activities that we've been doing as it relates to the pandemic has been literally through the collaboration and working with the NGOs and non-government organizations and schools on, like best practices, threat intelligence, and collaboration. For example, we know that there's a lot of, you know, again, bad actors out there who want to exploit the pandemic or they want to exploit different activities that are going on as it relates to people being working from home, so we've really focused heavily on making sure that we're getting out in front of that, talking about, sharing about like phishing attempts or strategies and techniques that are being used, and communicating that out as well to the community, so the focus has really been on, through, you know, information sharing, threat intelligence sharing, and focusing on ensuring that we're providing guidance and tips if you will on, you know, whether it's the protecting controlled unclassified information for non-government organizations or, as I mentioned about like best practices, so the focus has been on there. Another piece of course that my organization has had when it comes to Cares Act funding, and the Department received quite a substantial amount of money to issue out there and to deploy to the nation, the focus is on making sure that the systems we have can handle the, the very strenuous amount of, hey, you got to get this out there, it's got to be done very quickly and securely, so it's also shoring up and making, I won't say shorting up because they've been secure, but making sure that the systems are running optimally to provide the services that the citizen depends on from the department.

Amy: Is there anything about technology in particular that you learned this year during the pandemic?

Gray: You know, that's a great question because, I feel like technology, I mean, does what, what it is told to do, I mean it does what it's designed to do. I certainly learned and reinforced that the modernization has been absolutely critical, it's not typically a fun topic to talk about because usually you're talking about spending money and you have to compete for resources. I am fortunate that we've had the support for the modernization efforts that we've had, because from a technology standpoint, it is an absolute enabler. I would attribute a lot of the, from a technology standpoint, a lot of the ability for the department to transition to near 100% telework was, as it relates to our modernization efforts and the quality of the technology we have. I believe we were one of the first federal agencies to transition 100% to Windows 10, which was great, so I feel like from a technology standpoint, yeah, I mean there's some lessons learned there. I would say from a people standpoint, one of the, the resounding lessons is, it's amazing how resilient the federal workforce is, how creative and innovative they are and agile they are in order to adjust to, literally, some pretty unexpected events with some very anticipatable results. That's probably the biggest lesson. I also, another thing I was very proud of and happy about was the collaboration and partnership between the CIO community across federal government. Even from a vendor standpoint, the amount of engagement that we have had, certainly in the last nine plus months, has been phenomenal, where people are truly out there to try and help us to achieve our mission, where the focus is on how can we help versus how can we sell something, so that was a, certainly some lessons from this pandemic so far.

Amy: Wow, amazing. You know, considering what's been going on during this pandemic, is there anything that you see your focus taking you, I guess, at the Department after the pandemic or even into next year?

Gray: Yeah, I would say, I mean it comes down to, to five key areas, right? I mean I definitely am looking at improving or enhancing and advancing the cyber security posture of the Department. Again, an unending battle for sure, but a lot of work to do there, looking forward to the continuance of that. Also refining and fine-tuning our governance to make sure that all the, the I’s are dotted and t's are crossed and that we can very easily align what we're doing and what we have done with where we're going and where we need to go. I would say IT modernization is going to be absolutely critical to continue down the journey, I mean we, when I first got to the Department we did an assessment to establish an as-is environment, created a 2B environment, and then kind of the roadmap to get there, so I look forward to continuing that. Number four would be focusing heavily on user experience and customer experience, making sure that our customers and end users are getting what they need to do their job, which should translate to our citizens who leverage the services getting what they need from the department. And last but certainly not least is focusing on organizational health and making sure that I am doing what I need to do to take care of and support my team and organization as a whole or, you know, to adjust and shift to the needs, the unique needs of every employee and partner that I have within the department.

Amy: Wow, fantastic. Well, thank you Jason for unpacking a lot of the efforts that are underway and the things that we've been reading about that's been going on as far as IT modernization at the Department. It's been interesting to hear more from the CIO shop, you know, what's going on and, I'm looking forward to seeing what comes out of your department in the coming future.

Gray: Great, thank you for having me.

Amy: And there you have it. Security is going to have so much importance as agencies continue to unlock the benefits of cloud, and emerging technologies present more opportunities to work better, but it also unlocks more opportunities for threats. Since 2016, Jason has been transforming the agency's processes and tech capabilities. As government embraces new tools, I'll certainly be interested to see how Education applies them under Jason's leadership. Thanks again to episode sponsors Dell Technologies and Carahsoft.

Sponsor: Thank you Jason for your insights on how the Department of Education is going to remain a front runner focused on continuous transformation in the education community. Providing high quality education experiences for all students has always been a huge undertaking. Technology has played a critical role in allowing educational institutions like the Department of Education to achieve digital transformation, further supporting continued education. Dell Technologies and Carahsoft are excited to continue working in partnership with organizations like the Department of Education to achieve these goals, and we thank them for the opportunity to support their mission. We also want to thank everyone for joining today's episode.