It’s hard to fathom the number of critical government processes that have had to evolve – very quickly – to meet the needs of the American people during the COVID-19 pandemic. And if this crisis has a silver lining, it’s the accelerated modernization and innovation being born out of it. MeriTalk is surfacing the untold stories – and lessons – of those efforts. In the latest installment of CIO Crossroads, we turn to the General Services Administration (GSA).
GSA’s Lessons: Put People First – CIO Q&A
In the Federal IT community, we’ve all seen the analogy of the three-legged stool – technology, process, and people. After speaking with GSA CIO David Shive, it’s clear that a “people first” focus pays great dividends toward agency mission success, especially in a time of crisis.
GSA delivers the products, services, and facilities that agencies need to serve America. It oversees $66 billion in annual procurement, and it’s the largest landlord in the world, managing approximately $500 billion in U.S. Federal property. GSA’s job is to literally keep the lights on for the Federal government – every hour, every day.
As a modernization leader, GSA became mobile-enabled more than five years ago, and has moved over 50 percent of its technology workloads off premises. These shifts helped the agency adapt easily to the new requirements of the COVID-19 era, and it now has a 99.6 percent telework-ready rate.
Having quickly stabilized in the “new normal,” GSA has been on the front lines, providing other agencies with Personal Protective Equipment (PPE), IT, and other equipment in the hundreds of thousands of units. And, even as it deals with these short-term critical issues, GSA is already looking ahead to how it can sustain the modernization advancements that have been made during the national emergency.
Please join us for an in-depth conversation with David as he talks about how GSA has managed its workforce during the pandemic so its people can help serve the rest of the Federal government during this challenging time for our country.
MeriTalk: As CIO of a large agency with a government-wide support mission, can you share your biggest priorities during the COVID-19 response? What are you proudest of?
Shive: I’m most proud that we immediately focused on the safety and well-being of our workforce by starting a daily accountability tracker for all employees. This lets us see where everyone is – if they’re teleworking, on leave, or on facility – and make sure they are okay. An important aspect of this was requiring a rationale for people going into the office. We are under mandatory telework, and our Administrator meant that, so we need to make sure that anyone going to the office has a very valid reason for doing so.
MeriTalk: What successes are you seeing?
Shive: We became a mobile-enabled agency five or six years ago, so this is not new for us. We’ve made the investment in tools, policy, and practice to support our mobile workforce. When we made telework mandatory on March 17, we already had the right technology and practices in place to enable our employees to work from home, with almost no disruption of work.
99.6 percent of our workforce was telework-ready, which enabled us to continue to deliver on our mission and do the hard work of GSA across multiple business domains, regardless of where people were working.
MeriTalk: Any other examples in addition to that very impressive telework number?
Shive: During the pandemic, we have been able to onboard people completely virtually – providing the secure access they need for remote connection and shipping hardware directly to their homes. We figured out what policies we needed to change to enable that – no wet signatures, no fingerprinting, etc. We’ve been able to work through it and deliver badges in a safe, secure way as well.
MeriTalk: How about something surprising?
Shive: The thing that surprised me the most was that the business mission of GSA continued unabated. We’re able to not only protect our employees, but also our customers who have repeatedly said – ‘everything we need, you’ve been able to give us.’
Their needs have changed very dramatically during the national emergency – they span acquisitions, facilities management, design, construction, and policy management of really tough technology. They’ve come to us with some interesting business objectives, and we’ve been able to do some really innovative, creative, transformative stuff to address their challenges.
MeriTalk: Do you have any mission metrics to share – perhaps in terms of acquisitions or real estate – during the pandemic?
Shive: Our customers have come to us with some very specific national emergency-related needs. They’ve asked us for PPE, IT, and equipment in the not just thousands but hundreds of thousands of units.
And they’ve come to us asking – “can you keep our buildings open?” We’re the biggest landlord in the world, and we’ve been able to keep our entire inventory of buildings open. We’ve not closed buildings except for occasional cleaning activities. That doesn’t mean people are working in those buildings, but we’ve been able to keep them open for the agencies we support in case they need to get in to deliver on their mission.
MeriTalk: What can you tell us about cybersecurity threats during the pandemic?
Shive: Because we’re a mobile-enabled organization, our cybersecurity posture must address those needs. Our investments in completely distributed cybersecurity – the TIC 3.0 model – and associated effort and tools was critically important.
We’ve essentially created a small government facility in each person’s home. From a logical standpoint, the infrastructure they’re working on looks and feels the same as if they were working in a hyper-secure government facility. We did that because we knew the number of nodes that we needed to manage was going to explode, partly due to internet of things and organic growth there, and partly because people are doing the work of government on any number of devices – their government furnished equipment, cellphones, and tablets and laptops.
They are also using personal devices, so we’ve had to create a cybersecurity wrapper around that to protect our environment. The nice thing about it is, once you create that capability, it doesn’t matter if you have 15 or 25,000 or 50,000 devices, you treat them all the same and they’re going to be well protected.
We’ve had to be very thoughtful about our cyber strategy and check our math fairly regularly to make sure that the assumptions we made about working in such a distributed environment were correct, and they have been.
MeriTalk: How has vendor support been?
Shive: We’ve been very pleased with how some of our long-standing industry and system partners have been very quick to react and respond to either real or perceived threats to cybersecurity in this widely distributed environment.
We’ve seen companies deal with problems that didn’t exist three months ago due to scale or to a perceived or real threat. They’ve reacted in minutes and hours rather than days, weeks, or months. Our public-private partnerships have helped support government through this really tough time, and that’s been fantastic to see.
MeriTalk: What’s been your experience with the CDM program during the pandemic?
Shive: The suite of tools in CDM is great, because there’s a vetted toolbox that people can use. They know these tools are suitable for government use and are proven to work well. Agencies have had to strengthen their security postures very quickly in this environment. If you can reach into a toolbox and grab a tool that’s been vetted by the very important people at DHS and by others who have used it, it really helps accelerate adoption and standardization.
We are heavy users of the tools represented in CDM, not just because we’re one of DHS’ CDM partners, but because they’re good tools from solid industry partners doing great cybersecurity work in the government space.
MeriTalk: Can you give us a wider picture of how cyber threats have been increasing during the pandemic?
Shive: I always have my scary numbers – we have millions of attempts against our computing infrastructure per hour, for example. But that’s coming at us in an automated fashion, so you would expect really big numbers like that. We have to employ the really smart tactics that operate at the speed of light, rather than analysts sitting there monitoring stuff. That’s IT Security 101; it doesn’t matter if you’re in the government or commercial space. But those defenses in-depth are working well.
MeriTalk: The 99.6 percent telework enablement figure is outstanding. Are there any tech adjustments that can be made for people that can’t telework, and have to do their work face to face?
Shive: We started out our response to the national emergency assuming that there would be some people that needed to be in our facilities, either all the time or on a regular basis. That 99.6 percent enablement number is legit, and we average between 95 and 96 percent of people off site every week.
We’ve found that there are actually very few people that need to be there all the time. There are people who sometimes need to “parachute in” for a specific mission-related reason. But we can often resolve those issues so they only need to go in once.
MeriTalk: What is GSA’s total employment number right now?
Shive: It’s around 11 to 12,000 people, and for devices we’ve tracked around 15,000.
MeriTalk: Looking at the big picture, what’s been the greatest overall lesson for you since the pandemic began?
Shive: I think the greatest lesson that I’ve learned – or relearned – has been that when you focus on your people, your end product is better. That’s includes how you manage your own people, as well as how you respond to your partners.
I mentioned earlier that we supported and invested in a remote workforce, and that we generated the data to be able to effectively track and manage our workforce. I learned very early in my career here – if we keep the person at the very front of everything we do, we’ll be successful in the delivery of IT and the support of GSA’s mission.
MeriTalk: What systems have worked best, and can you tell us about any lessons learned regarding IT modernization, cloud, or cyber?
Shive: The systems that have worked the best are at the foundational level – VPN, two-factor authentication, security backbone, etc. Since we’ve been a mobile-enabled agency for years, this time has presented an opportunity to tweak and tune around the edges for better outcomes.
Collaboration has worked really well. Our ability to communicate internally, in real time, has been instrumental in being able to provide effective services to our customers.
Our pivot to the cloud has also been really helpful. We entered the national emergency with more than 50 percent of our technology workloads running off premises (cloud and managed service). That prepared us well for this time when we need to do the work of GSA from anywhere. It’s been a game changer.
MeriTalk: How would you grade intra-government collaboration and cooperation at this time? What’s working well, and are you seeing any opportunities for improvement?
Shive: On the intra-agency collaboration piece, I have to give us an A. When we survey our partners, we always ask, “Do you know who to contact?” That is a surprisingly tough thing, especially when people are stressed. We hear time and again that people know how to get a hold of us when they need us.
I’ve also been very pleased to see Federal CIO Suzette Kent getting all the CIOs together on a regular basis and saying, “We’re going to have an agenda-less conversation about how we can work together to solve the complexities of the national emergency.” The mission of government is so broad and diverse. Even though our missions are very different, there has been massive value in getting everybody together to talk about the problem areas we’re seeing and the solutions we’re using to address them. How do we manage workforce or use technology to enable the mission? Where can we help each other?
There is opportunity for more collaboration. There are some agencies that had already started their modernization work prior to the pandemic. And now they see value in reprioritizing and pushing those modernization efforts forward. I think there’s a fair amount of opportunity for GSA to provide roadmaps and technical support as those agencies accelerate that work.
MeriTalk: Tell us a little bit about your days in the first week or so of the crisis. How have your days changed since then? Are you fully entrenched in the new normal now, and if so, what does that look like?
Shive: For the first hours and days, we were assessing the emergency and how we could structure our response to get the greatest value out of our work. We actually started right before the national emergency; we did some stress tests on our infrastructure to make sure we could operate and do the work of GSA from any location.
Our partners were also stress-testing their systems and identifying places where we could help. We looked at areas where we needed to pivot to different outcomes, but we didn’t need to change much – just a little tuning around the edges.
Now, we’ve fallen into a certain cadence. We know where most of the pain points are, both internally and with our partners, and we’re doing the work to address them.
At the end of the national emergency, the work of government will look very different. We will have accelerated modernization quite a bit. Some of our work is starting to focus on how we can sustain the advancements that we have made during this critical time. Each day that goes by, we’re nimbler. We can react more quickly. We’re driving toward a government that can react to changing business requirements as quickly as the commercial sector can, and as quickly as the citizens we serve demand.
MeriTalk: What advice would you give to the Dave Shive of three months ago?
Shive: I would say to trust the plans we had in place, to recognize that the rationale for them was sound, and that we tested them enough already. I probably would have spent less time testing and validating, and more time solving problems.
I also probably would have focused more on the people side of the equation. We did so right out of the box, but I would have been even more aggressive about it. We can have the best tools and business processes in place, but without the humans of GSA to do the good work, none of it matters.
It’s not just stressed technology we needed to look out for, it’s stressed people. Stressed people work at a reduced capacity as well. So as a people manager, I might have paid more attention and asked things like, “What can I do to help you focus on your families and the people that you’re taking care of, as well as the important mission of GSA?” We got there very quickly, but I probably would have pushed that up to the very top priority.
MeriTalk: Any shout-outs you’d like to give to team members at GSA? And across the government?
Shive: I have to start with my team at GSA. I always say that we have the finest IT organization in the Federal government. And through this, they’ve absolutely confirmed that.
I’ve been especially proud of our teams who communicate, both internal to GSA and our communications department. You get the best outcomes when you deal with the whole human. Part of that is effective communication, and I’ve been so proud to be a GSA employee during this time. Every decision we’ve made has had the people of GSA at the very forefront followed very closely by mission enablement.
Across the government, I’m really thankful to Suzette Kent for creating an environment where the CIOs and CISOs under Grant (Schneider) have been able to come together on a regular basis and swap war stories. We talk about the good things we’re doing, as well as the tough times, and we’re creating a community that can learn from each other and work together to get the best outcomes for the government. It’s made me very proud to be a public servant.
MeriTalk: How will your team function in a world without traditional conferences? Do you envision a new way of interacting with industry?
Shive: We had to take our Fast 2020 event virtual in a very short amount of time, and we had to make sure that the technology was there to allow a bilateral two-way conversation with our industry partners, as well as with GSA executives and practitioners. We’ve stress tested that capability and gotten a good result. It’s not always perfect, but any in-person conference is not always perfect either. We’ve learned that we can do even that part of our mission at scale.
One of the things that makes us an effective organization is our focus on staying current in various business disciplines, from design and construction to acquisition, policy, and technology. During this time, we’ve had to be more intentional about staying current. Sometimes that means logging on to a web-based conference.
We’re in the middle of a national emergency. The chance that we could send somebody to a five-day conference where they could devote 100 percent of their focus is zero. But that’s the right thing at this time. We’ve had to learn how to consume information to stay current while also doing the important work of GSA during a national emergency.
MeriTalk: What has been the most useful remote work tool or capability that has allowed you to stay effective at work?
Shive: I guess my blanket and my house cat. Today, business is 24×7, and the citizens we serve rightly expect their government to operate 24×7. Traditionally, we’ve had a hard barrier between personal life and work life. But I see that softening a bit, and I see people happier in their work because of it.
When I first started out in the 80s and 90s, there was an intentional blurry line between work and personal life. And that created deep personal connections that helped us deliver services better. I see some of that working back in now. And it’s partly because my cat will jump up on my lap while I’m on a video call. But it’s also partly because we’re reintroducing the humanity. We have this common challenge for the good of the citizens we’re serving, and I see that changing how we all interact and work with one another. In that regard, I’m grateful. I would never wish this national emergency on anybody. But there’s some good to be derived from it.
Read other Federal success stories from the COVID-19 pandemic.