Underpinning the delivery of citizen services, funding, and an all-important sense of normalcy during the COVID-19 pandemic, the Federal IT enterprise has provided firm footing in uncertain times. As the nation takes its first steps on the road to recovery, MeriTalk is chronicling the untold stories and lessons of the ongoing IT odyssey. In the latest chapter of CIO Crossroads, we explore the Nuclear Regulatory Commission’s IT operations three months into the fray.
Preparation, Training Clinch Pandemic Transition at NRC – CIO Q&A
If IT operations are the most important component for a resilient 21st century government, then what’s the most important raw element? Not silicon, but electricity. Enter the Nuclear Regulatory Commission (NRC), which oversees reactor safety and security for the critical infrastructure that supplies 20 percent of the U.S. daily supply of electric power. The agency also manages licensing for radioactive materials, including spent reactor fuel handling and storage.
NRC’s swift transition to pandemic-era operations was attributed to preparation and training. NRC had been prepared for widespread telework after refreshing all of the agency’s laptops to Windows 10 software last year, and paving the way for mobile access with Microsoft 365.
With the coronavirus pandemic closing in, NRC pivoted to several days of agency-wide training on telework technologies before enabling most employees to work from home. The result: 98 percent of the agency’s 3,000-strong workforce was equipped to work from home immediately, with only a two-week spike in help desk calls.
NRC doubled its VPN capacity in a week to meet increased demand, and quadrupled its capacity for concurrent VPN sessions, to a total of 3,600. On the security front, the agency quickly moved patching operations off-prem, adopting a cloud-based solution that accelerated patching for a host of zero-day vulnerabilities.
In an exclusive interview with MeriTalk, NRC CIO David Nelson explains how the agency shifted to the new normal without missing a beat – and how improvements realized during the process will go into permanent practice.
MeriTalk: What have been your largest priorities during the pandemic? What are you proudest of, and what has surprised you?
Nelson: I am very proud of the way NRC has adapted and changed so quickly.
We had a robust telework program before the pandemic, but we didn’t have executives and decision makers doing a lot of their day-to-day work remotely. We’re at 98 percent telework now. I’ve been amazed at how quickly we’ve been able to adapt our work processes and continue to accomplish our mission.
Within my office, I am particularly proud of our preparation and training. We spent several weeks before the pandemic assessing and updating our systems, processes, and plans. The week before we moved to full-time telework, we hosted several days of training for agency employees where we simulated remote access and walked people through how to use different tools. We were able to train about half our people to make sure they were comfortable, and the training process allowed us to see how we were impacting our VPN load. We went to maximum telework on March 16, and we ordered a dramatic increase in our capacity to support VPN and Skype.
The telecom carriers were amazing during this period of time; we doubled our capacity in less than a week.
And we were able to do regular work as well, like our FY 2022 budget formulation process, which required agency-wide meetings. We also kept a skeleton crew on a project to digitize older microfiche and paper documents, and since March, we have digitized about 17,000 microfiche or about 7 million images.
MeriTalk: What’s the story by the numbers of the last three months, what are some other metrics to measure success?
Nelson: Ninety-eight percent telework is the big one – we track that one every week through our COVID-19 Response Task Force. That covers our 3,000 employees, including about 800 that work in four regional offices.
I think our highest number of VPN users prior to this was 600 concurrent users, in situations like weather closings. But now we are regularly seeing 2,800 concurrent VPN users. We can also securely log into Microsoft 365 from our mobile devices. That allows us to use the portal to access email or material saved on cloud drives, without coming through the VPN. And we do have some users who access via Citrix as well. We’re monitoring that every day with a dashboard to make sure we’re managing the bandwidth appropriately and people are getting the experience they need.
We also quickly changed our cybersecurity patching process. We had on-premise servers using products to deploy patches, which made it difficult to send patches to remote workstations and stay current without requiring people to log in, go to the service, and pull the patches themselves.
We quickly tested and deployed a cloud-based solution from Microsoft Azure and it’s been amazing. We went out in March, and there were several important fixes for zero-day vulnerabilities in the May release. We got those installed in all our workstations quickly. We’re going to continue to use that process even after we go back. It’s really helped us.
We use Skype for conferencing, and our data shows we’ve more than doubled the number of daily sessions. We conduct our day-to-day meetings with Skype, and we also have a license through WebEx for larger conferences.
MeriTalk: What are your biggest lessons learned from the pandemic?
Nelson: One is making sure we have sufficient bandwidth and the tools to manage it. We developed our dashboards to monitor it in the first day of our practice telework. Being able to monitor bandwidth and adjust is important.
We had some problems initially with our help desk. You don’t really think about that when you’re working in a normal mode. It took us three or four days to work through a solution to get our help desk people effectively taking calls. We had the technology to do that before; we had just not exercised it. It would have helped us work through that issue if we had known about that beforehand.
MeriTalk: Have you seen more volume on the contact centers? How about on the agency websites?
Nelson: The help desk is internal, and they certainly did get an increase in call volume initially, because people were still trying to understand how to log into the VPN and use other methods for access. We’ve pretty much cleared that out, and we had a normal volume of calls after the first two weeks.
As far as external communications, we have done a lot of work on our website and information sharing since we moved to maximum telework. In just a couple days, we developed a dashboard with a map that allows people to understand how our nuclear power plants are operating. It also shows issues that might be happening around those nuclear plants in terms of COVID-19 cases. It’s a heat map to give people an idea of what’s going on.
We also developed tools that allow our licensees, through web-based forms, to submit exemption requests on certain processes for working within those plants. Now, we can process those requests in an automated way – without requiring faxed requests, or some of the legacy ways that we would work with licensees in the past. We did that through a low code/no code platform and got that up in eight days.
MeriTalk: Knowing what you know today, what advice would you have given yourself three months ago?
Nelson: You have to focus on fundamentals. Your IT systems, your identity and access, your role-based controls, all the permissions – they all need to be strong. You must have those in place, and that’s something our agency has done really well. We haven’t had to loosen any of our security controls because we thought through policies and put the right kinds of systems and access controls in place. It was a matter of just increasing bandwidth to support the larger number of people working remotely.
The fundamentals are critical to making sure you have the right kind of identity and access controls in place. Focusing on virtualization – the more that you have up in the cloud – is a huge argument for why we’ve been doing all the modernization for a couple of years now in the Federal government. When you’re accessing all these different applications and your data remotely, they work better when they’re in the cloud, and they’re much more reliable. And it doesn’t require our people to perform hands-on work in a data center that could present a potentially unsafe condition.
MeriTalk: Cyber threats are always out there, but the increase in telework during the pandemic has certainly stretched the attack surface. Can you tell us a little bit about what keeps you up at night related to increased cyber vulnerabilities?
Nelson: Every agency has this problem – we have thousands more endpoints than we have had in the past. That should always be a concern, so it’s more important than ever to have the right controls in place, and proper patching. We’re concerned about phishing and malicious SMS. This is an opportunity for our adversaries. Now more than ever, I’m happy with all the awareness and training that we’ve done. But it still concerns me and keeps me up at night.
MeriTalk: How is the CDM program coming into play as you keep your finger on the cyber pulse?
Nelson: CDM is an evolving program – and I think there’s real value in it. Different agencies are in different stages in the CDM implementation lifecycle. In some ways we’re out in front of a lot of that work being done. We’re very adept at using the tools right now, internally.
We have many of the tools that have been standardized across the years with CDM already in place at NRC, particularly in areas like access management. We were leading a lot of the work that was being done there. I think CDM has brought all the agencies to a place where we’re looking at the tools in the same way. We can speak the same language when it comes to what we’re checking and managing. CDM has been very good at that.
MeriTalk: Right now, and for the foreseeable future, it’s all about telework. What’s worked well across the Federal government and where have you encountered challenges?
Nelson: [Federal CIO] Suzette Kent has been a huge help bringing us together. We initially started with daily calls so we could share lessons learned, challenges, and ways we were addressing those challenges. They were amazing sessions. I don’t know how she found the hours in the day, but she was available by phone to us. I worked with her on an escalation to get support on resolving a piece of equipment that was critical to our VPN. She was the key to that. Having that daily meeting with the CIO and CISO communities was key in helping us help each other through those first couple weeks.
The Office of Management and Budget (OMB) was also helpful on working with the different organizations to make sure we were coordinating responses to the most important priorities. Certain reporting requirements were loosened a little bit. That helped a lot of agencies to reduce time on regular reports that probably weren’t as urgent as making sure that everything was working for Federal employees across the government.
I didn’t find anything that’s not working well from that perspective. OMB has been fast in working through Paperwork Reduction Act types of approvals. I’ve never seen them move through the process nearly as efficiently as they have when we needed to put up new collection-type tools.
MeriTalk: You talked about how 98 percent of the NRC workforce is remote right now. For the remaining two percent that can’t work from home, are there other IT adjustments you can provide to them?
Nelson: For the most part, those are a limited number of people that we have manning functions like our Incident Response Center or Operations Center, where we must have people physically there. We also have some sensitive, classified work that requires very few people to be in the building. Those people have had to adjust and work with us the same way as people are working remotely, by integrating the same tools and new workflows.
MeriTalk: NRC has been going through a major transformation to evolve into a more modern risk-informed regulator. Can you address how what your team has done fits into the transformation model?
Nelson: Of our seven initiatives, the easiest one to address is technology adoption. We have been working for more than a year on getting the word out, having large training sessions, and trying to work with people on adoption. We were always using metrics to look at how many people were using the different services. And we were seeing small bits of incremental growth coming out of those different attempts to train people and provide information. With COVID-19, all our metrics jumped exponentially. With technology adoption, we accomplished more than we ever expected with the new tools.
Remote work has pushed us to concentrate on how to address risk-informed decision making. All the work that we had done really prepared us to move in that direction and pushed the agency to transform and move into this risk-informed regulator position even quicker. It has really given us the confidence as an agency that we can do this, that we can move fast, and can adapt in ways that we didn’t even think were possible.
MeriTalk: Are there any areas for more collaboration across government?
Nelson: There always are. We’re reviewing the opportunity to pilot collaboration tools. We must find that balance between, “what are our priorities?” and “where do we need to work closer with different agencies?” Certainly, our agency already has close ties with other agencies like Department of Energy and FEMA. We’re always looking for ways that we can work closer with them. I think all the remote work going on right now will get the CIOs and agencies thinking about quicker adoption of integrated workflows and ways to work together more efficiently at a distance. We’ve all figured out how to do it internally. I sense that we’ll probably start moving in those directions.
I’m also on the Chief Data Officer (CDO) Council, which is relatively new, and was put in place after the Evidence-Based Policymaking Act last year. It’s playing an important role in bringing all the agencies together with discussions about data that can be shared and combined across agencies to provide better visibility into what’s going on in our world. So instead of each agency developing their own dashboard and lens into what’s going on based on their mission, we can combine some of these data sets and provide much richer information. The CDO Council is doing work in that area, which I think is going to be strong.
MeriTalk: What systems have worked best in this new environment, and what are some of the lessons learned around modernization, cybersecurity, authentication, etc.?
Nelson: Let’s get back to basics. I’m certainly happy that we had put all those fundamentals in place. We had very recently – within the last year – finished our refresh of laptops with nice secure Windows 10 images on them.
And then the basics I mentioned around cloud-based collaboration, cloud-based email – that was a huge push a couple of years ago for Federal agencies. That was critical, really important. And it’s important to have a strong network, and a strong VPN solution. I can’t stress enough to make sure you have a way to authenticate people onto your network so you can remain secure.
MeriTalk: You talked about the good level of cooperation with OMB in the calls with the CIOs and CISOs. Is there anyone within your IT organization at NRC that you would like to give a shout out to?
Nelson: I’m going to name a few teams because they’ve been incredible. Of course, our network and security teams have been fast. They were the ones that implemented the cloud-based patching solution and were able to address those zero-day vulnerabilities very quickly.
Our web team has been quick in responding to all the different offices that needed to get information out there, and communicate with stakeholders, communities, and citizens.
Our customer support teams have been outstanding in coming up with important customer experience-focused solutions addressing the challenges of working at home, and how we support people. They’re thinking through communications so that people can get up to speed very quickly.
And our digitization team that has been working on all our microfiche, our budget formulation team, and all of the information analytics support that our COVID-19 dashboard support teams have been providing.
MeriTalk: Post pandemic, what are some new things that we will keep doing, and some old things we will stop doing?
Nelson: We’ve been talking a lot about that at NRC, and I think most organizations are talking about that internally. I personally think a lot has changed, and will continue the way it’s being done today, rather than the way it was being done a few months ago. I think there will be an increased dependency on remote solutions, because we’re going to be working from home a lot more.
What will be interesting is all the discussion and thought about workspace concepts if we get back into buildings. I imagine there will be some changes. It’s been a pendulum going back and forth between open workspaces and different sorts of layouts. I wonder what conference rooms are going to be used for? Before all this, we had a huge push to make those into collaborative centers, but now I wonder how they will be used.
MeriTalk: How will you and your team function in a world without conferences as we know them? And how would you envision interacting with people from industry?
Nelson: That’s the kind of thing we’re trying to figure out now. We want to be given ample opportunity as Federal executives to get our messages out to communities of interest. I know more and more conferences are shifting to a virtual environment, so it’ll be interesting to see how those work. I think that will evolve over the next several months, or even years.
Read other Federal success stories from the COVID-19 pandemic.