Pursuing IT Modernization at OPM

“Given I am the tenth CIO in the last 12 years at OPM,” explains Guy Cavallo, “I am focused on bringing stability and I can do that by setting a clear IT vision and strategy.” Recently, Guy Cavallo joined me on The Business of Government Hour for a timely and insightful discussion on OPM’s cloud-first IT modernization program, increasing OPM’s technology workforce, replacing its legacy contact center for retirement services, and work to accelerate the adoption of a zero-trust cybersecurity architecture. The following is excerpt from our conversation. 

 On Being OPM CIO 

As OPM CIO, I am responsible for all technology systems and infrastructure for the agency. What gets me up in the morning is my excitement for improving the current federal employee’s life and the retiree’s life in dealing with the OPM. We need to be more customer service focused. We need our information systems to be more redundant and easier to use.

I’ve been CIO for over 15 months. OPM has had a rough time over the last few years. There was an attempt to abolish this agency few years ago. Though that didn’t happen, many good people left the agency. I’ve been rebuilding the CIO team. I have had vacancies in many key positions such as enterprise architect, chief technology officer. A significant amount of my time has been spent on personnel, making sure that I have the right staff. I’ve built a team that’s based on moving to the cloud and modernization versus supporting the legacy background. Now, of course, we must do that until we get things migrated to the cloud. I think about 85% of my leadership team is new. 

What I have learned through the years that CIOs can make the right technology decision. However, unless they take seriously the business processes and culture of an organization, they are likely to fail. In my role as an IT leader, I must set the vision so that my team knows where we’re going. I must sell the vision not only to my team, but also to the business departments. Given I am the tenth CIO in the last 12 years at OPM, I am focused on bringing stability and I can do that by setting a clear IT vision and strategy. To that end, I have had my team develop a draft IT strategic plan that aligns with the agency’s latest strategic plan. In fact, we are getting ready to release to the public the OPM IT strategic plan. When taking these two documents together they provide an insightful roadmap for where the agency is headed.

On Management Challenges 

I would say that filling vacancies in my office with the right people with the right talent is a key management challenge. We’re always struggling to compete with the private sector. What I’ve seen executives do over time is when you need to make a major technology shift, you have three paths that you can take. One is you go out hire contractors and empower them to do all the change ending up sidelining your staff. The other option is you provide training and certification programs for the present staff, but you need to invest three to five years for them to pick up the needed skills. Both options on their own are wrong. I’ve come up with option C, which is a hybrid where you do both. I bring in outside experts that have the current skills we may need to migrate to the cloud, and I intermix them with my present staff that knows the legacy systems but hasn’t had time to learn the cloud. 

We’ve invested heavily in training. For my present staff, we provide unlimited cloud training to everybody on the staff. We pay for cloud certifications. Just a few months ago, we had about 35 employees on our legacy team get cloud certified so they can more effectively work with our cloud contractors. 

The other challenges involve money and culture. On the money side, we are still dealing with cost associated with transferring the background investigation system to DoD. Things happened pretty quickly nobody had time to figure out the entire cost and impact of this system transfer. As a result, the OPM IT budget is very strained; we’re still working to get that cost. I have a very good relationship with OMB and Capitol Hill. I’m very transparent with them and am working with them to make sure the agency IT is properly funded. 

The third challenge is culture. I always tell my IT staff, “if you are opposed to change, why did you pick technology as a career when it’s changing every day”. Change is difficult. To mitigate the impact of change, it is key for a leader to communicate, communicate, communicate. Why are we doing this? What are the improvements? How will your job change? 

For example, I have some engineers that currently manage on‑premise storage. They were one of the first groups that came to me and said, “Okay, when we move to the cloud, what happens to my job?” I said, “Well, first of all, you’re going to love it because instead of worrying about running out of storage every day, I’m going to ask you to make sure that we’re optimizing and lowering our storage costs every day. I still need this function, but instead of just trying to shuffle disks around to save space, I need you to think about the business impact and help us decide.”  

What I have found is you cannot over communicate during a culture change. If you think you’re covering it, double your efforts and talk more about it. But also, be an active listener: hear what people are telling you and most of all address their concerns as soon as you can.

On Key Strategic Priorities 

Moving to cloud is my top priority along with hiring the right staff and making sure that we have training. Cloud is the best way for the federal government to provide the best services to our citizens, making sure that we’re investing in our employees with continued training. Unlike the last time I helped move an agency to the cloud today, we have data to show the cost saving and/or cost avoidance. When we did this at SBA, Maria Roat and I knew it would provide better service though we hadn’t had the data we have now. 

Today we’re in the middle of running tools to calculate the cost of moving every single system to the cloud. I didn’t have that hard data before. I’m going to have it now. We’ve developed a plan on how we’re going to migrate, identifying what we’re going to move. The federal CIO Council came out with an application rationalization process. We’ve used that, where basically you take each system and you put it into a grid of four classes. The first class are systems that no one is using, so we’re going to turn it off. There are those systems that are so complex or convoluted that they need to stay on premise for now. There are systems that can move to the cloud quickly as infrastructures of service. The fourth class is we can switch it to platform as a service. We’ve completed this analysis tying with it level of effort estimates for each migration. 

Congress has required OPM to develop a new health benefits program for the U.S. postal workers in a very short time frame. The current federal employee health benefit system has a different set of rules and eligibility requirements than what has been mandated for the postal service. They might have assumed this effort simply a quick modification when it requires entirely new system. 

We are also pursuing the priorities of the Biden administration. We’ve built the first DEIA dashboard for the federal government. We are supporting efforts to bring in early career talent, which is their way of talking about interns and people early in their career. 

We are stabilizing the infrastructure I inherited. We’ve turned on enterprise dashboards. I made it uniform so that everybody at OPM can create dashboards and display their data in an easy‑to‑use format. Having this capability helps them see their data and affords them the ability to make more informed decisions. 

I have also learned that to be a successful CIO you must work hand in hand with the financial team because this is a change for them too. And being able to explain these things to them is really a big help. In fact, one of the first applications I moved to the cloud was a CFO application. 

On Cybersecurity and Zero Trust 

This is the second agency that I am pursuing zero trust. I began it at SBA. Earlier on, I recognized given the realities of the federal budget cycle that we’d have to wait two years before I could ask for zero‑trust funding. There, we submitted a request to the Technology Modernization Fund (TMF) for the funds. We were one of the few agencies that received early approval. 

We are well underway implementing zero trust. My CISO has taken the lead sharing everything about our organizational journey with the federal community. We are willing to share best practices, lessons learned, as well as roadblocks we faced and overcame. 

With today’s cyberattacks, zero trust is absolutely the way we must go to protect our data. The old build a moat around your network isn’t good enough. Today, we must protect from inside as much as out. It is going to take a couple years to be fully implemented. We’re doing it in stages and keeping in mind the user experience. For example, when we were at the SBA, we replaced the VPN with a zero‑trust connection. This meant that end users went from clicking on about eight things to get started every day to two things. The end user put in their PIV card, typed their PIN, and they are done. 

From a cyber perspective, we love zero trust because unlike with VPN the end user does not have the option to turn it off and still use their laptop. With zero trust, the end user isn’t allowed to turn it on the laptop. If you’re going to log on to your OPM laptop, then it’s always going to be connected through zero trust. Unlike under VPN, we’re able to do patching, collect performance data, and do all the things we couldn’t do under VPN. 

What I illustrated represents the easy part of zero trust. Taking Joe and Sally and then deciding Joe is going to get this level of access to these three systems at this level and nothing else, while Sally can have access to these five systems at this level. Getting to this scenario requires significant legwork and will take longer. I’m excited about that thought. 

On Enhancing the Customer Experience 

I want to focus on the user experiences of our employees and staff. The pandemic shifted the federal government from limited telework to expanded telework. Last year, we equipped every federal employee with the same office equipment at home that they have in the office — all the same tools and capabilities. These are our internal customers. This initiative impacts OPM employees, and, in the end, enhances their work experience. 

We also migrated OPM from five different productivity tools with none of them being used across the enterprise. With hybrid and remote work, we all needed to get on an enterprise platform so that we could communicate. I laid out the business and cost reasons for moving to an enterprise platform for the entire agency. In fact, we have led a pilot with the rest of the federal government. We’re able to interface from productivity user to productivity user in 28 other agencies. We can have an HR specialist at OPM start an online chat with somebody in NASA.  If they decide that the discussion is too complex for chat, then they can immediately hit a button and go into video call. 

On the other side, we created a digital services team within OPM with current customer experience skills and cloud skills. I’ve worked with the federal digital services team in other agencies. They help, but they end up moving on to other agencies. I’ve partnered them with the legacy team as part of our modernization effort. We’re a big user of DevOps and user stories. In fact, the postal system that I mentioned to you, we have the entire agency mapping user stories in a common tool so that we can see the impact on the CFO, on our retirement systems, on our health insurance team, and on the CIO. Our director’s office loves the dashboard because they can see progress and what more needs to be done.  

We’re also focused on journey mapping the entire process for someone who applies to become a federal employee. They go through federal interviews. They get hired by Agency A. Later in their career they change to Agency B. They get married. They change their health benefits. And eventually they retire. We’ve mapped out that whole journey map. Unfortunately, right now each of these instances are treated in their own silo.  We want to make these one common journey.  

This is my fourth time back in federal service. There’s a reason I keep coming. I’ve enjoyed my private sector work, too, but that passion to improve citizen services keeps bringing me back to the federal government.