DHS launching a CDO office and CMMC-like risk management program

The CDO is organizing work around eight priority data domains, and the department is looking to pilot a CMMC approach with its vendors.

The Department of Homeland Security is standing up an Office of the Chief Data Officer to better integrate data into its operations and those of other agencies, said new CIO Eric Hysen.

Acting CDO Carlene Ileto is organizing work around eight priority data domains that include immigration, law enforcement and cybersecurity.

The office will identify leaders in each domain to further data governance and information sharing, ensuring DHS‘s IT modernization is led by frontline operators.

“Data must be interoperable and easily shareable by default, and the work we’re doing standing up our CDO office will help us get there,” Hysen said during day two of the IT Modernization Summit presented by FedScoop on Thursday. “This will support efforts ranging from internal projects like workforce vaccination to presenting a common operating view across agencies working to process migrants at our Southwest border, to sharing threat and intelligence information across our law enforcement functions.”


The need for a CDO office was underscored when DHS launched a departmentwide COVID-19 vaccination campaign in partnership with Department of Veterans Affairs health centers. DHS needed to identify, contact and manage responses from workers, which required “extensive time and effort to collecting and reconciling many different datasets from across the department,” Hysen said.

DHS is also strengthening cybersecurity through its Zero Trust Action Group, which is working across components to implement a zero-trust security architecture.

“We were one of many agencies that fell victim to the SolarWinds intrusion campaign,” Hysen said. “For too long, we viewed cybersecurity as an all-or-nothing approach based on a perimeter security model that’s decades out of date.”

Now DHS is embedding security into all parts of the IT organization, network architecture and software development life cycle to better mitigate breaches when they occur.

The Zero Trust Action Group is developing reusable security architectures, policy guides, pattern libraries, and reference implementations with a two-year plan to deploy zero trust departmentwide through 90- and 120-day sprints.


Early efforts include using cloud access security broker and cloud security gateway technologies to give employees direct access to certain secure cloud services from home, which reduces the burden on DHS’s virtual private network and internal network. The action group is also implementing software-defined networking to further segment requests for access to specific resources.

The work of the action group doesn’t mean vendors are off the hook securing their software systems by design, which is why DHS is developing a supply chain risk management program, Hysen said. The department wants to implement vendor due diligence assessments and software assurance processes to understand the provenance of commercial off-the-shelf products before they’re purchased and used.

“We’re looking very closely at [the Department of Defense]’s Cybersecurity Maturity Model Certification, or CMMC, and looking to pilot that approach within our vendor base as well,” Hysen said. “And when we do identify issues we are fully implementing our authorities under the SECURE Technology Act to remove companies from the department’s IT supply chains, as well as supporting DHS’s governmentwide responsibilities via the Federal Acquisition Security Council.”

While DHS is asking more from vendors, it will solicit feedback from them along the way so there are no surprises, Hysen added.

DHS also wants to improve the customer service of its public-facing services starting with the most burdensome ones. Department services account for 183 million hours of public burden annually, Hysen said.


“[O]ur immigration system is so complicated that it forces people to master esoteric form numbers and processes, while they’re navigating rush-hour traffic, to access vital services,” Hysen said. “We can do better. Our public-facing services need to be designed around the needs of the people who depend on them, rather than being designed around our org charts.”

Latest Podcasts