Wednesday, January 25, 2023
A Conversation with Guy Cavallo, Chief Information Officer, U.S. Office of Personnel Management (OPM)

“Given I am the tenth CIO in the last 12 years at OPM,” explains Guy Cavallo, “I am focused on bringing stability and I can do that by setting a clear IT vision and strategy.” Recently, Guy Cavallo joined me on The Business of Government Hour for a timely and insightful discussion on OPM’s cloud-first IT modernization program, increasing OPM’s technology workforce, replacing its legacy contact center for retirement services, and work to accelerate the adoption of a zero-trust cybersecurity architecture. The following is excerpted from our conversation. 

On Being OPM CIO

As OPM CIO, I am responsible for all technology systems and infrastructure for the agency. What gets me up in the morning is my excitement for improving the lives of current federal employees and those of federal retirees who use OPM services.  We need to be more customer service focused. We need our information systems to be more redundant and easier to use.

I've been CIO for over 15 months. OPM has had a rough time over the last few years. There was an attempt to abolish this agency a few years ago. Though that didn’t happen, many good people left the agency. Since I arrived, I've been rebuilding the CIO team. I have had vacancies in many key positions such as enterprise architect and chief technology officer. A significant amount of my time has been spent on personnel, making sure that I have the right staff. I think about 85% of my leadership team is new. 

CIOs can make the right technology decision, but unless they take seriously the business processes and culture of an organization, they are likely to fail. In my role as an IT leader, I must set the vision so that my team knows where we're going. I must sell the vision not only to my team, but also to the business departments. Given I am the tenth CIO in the last 12 years at OPM, I am focused on bringing stability and I can do that by setting a clear IT vision and strategy. To that end, I have had my team develop a draft IT strategic plan that aligns with the agency’s latest strategic plan. In fact, we are getting ready to release to the public the OPM IT strategic plan. When taking these two documents together they provide an insightful roadmap for where the agency is headed.

On Management Challenges 

I would say that filling vacancies in my office with the right people with the right talent is a key management challenge. We're always struggling to compete with the private sector. What I've seen executives do over time is when you need to make a major technology shift, you have three paths that you can take. One is you can hire contractors and empower them to do all the change, which ends up sidelining your staff. The other option is you provide training and certification programs for the present staff, but you need to invest three to five years for them to pick up the needed skills. Both options on their own are wrong. I've come up with option C, which is a hybrid approach that combines both options A & B. I bring in outside experts that have the current skills we may need to migrate to the cloud, and I intermix them with my present staff that knows the legacy systems but hasn't had time to learn the cloud. 

We've invested heavily in training. For my present staff, we provide unlimited cloud training to everybody on the staff. We pay for cloud certifications. Just a few months ago, we had about 35 employees on our legacy team get cloud certified so they can more effectively work with our cloud contractors. 

The other challenges involve money and culture. On the money side, we are still dealing with cost associated with transferring the background investigation system to the U.S. Department of Defense. That effort happened quickly and there was little time to figure out the entire cost and impact of the system transfer. As a result, the OPM IT budget is very strained. I have a very good relationship with OMB and Capitol Hill. I'm very transparent with them and am working with them to make sure the agency IT is properly funded. 

The third challenge is culture. I always tell my IT staff, “if you are opposed to change, why did you pick technology as a career when it's changing every day”. Change is difficult. To mitigate the impact of change, it is key for a leader to communicate, communicate, communicate. Why are we doing this? What are the improvements? How will your job change? For example, I have some engineers that currently manage on‑premise storage. They were the first group that came to me and said, "Okay, when we move to the cloud, what happens to my job?" I said, "Well, first of all, you're going to love it because instead of worrying about running out of storage every day, I'm going to ask you to make sure that we're optimizing and lowering our storage costs every day. I still need this function, but instead of just trying to shuffle disks around to save space, I need you to think about the business impact and help us decide." 

What I have found is you cannot over communicate during a culture change. If you think you're covering it, double your efforts and talk more about it. But also, leaders need to be an active listener: hear what people are telling you and most of all address their concerns as soon as you can.

On Key Strategic Priorities 

Moving to cloud is my top priority along with hiring the right staff and making sure that we are always training. Cloud is the best way for the federal government to deliver the best services to our citizens. Unlike the last time I helped move an agency to the cloud, today we have data to show the cost saving and/or cost avoidance. 

Today we're in the middle of running tools to calculate the cost of moving every system to the cloud. We've developed a plan on how we're going to migrate and identify what systems we're going to move. The federal CIO Council has an application rationalization process. We've used it. Basically, this entails assessing your systems and application and putting them into a grid of four classes. Systems that are assigned the first are those no one is using, so those systems get turned off. The second class involves  those systems that are so complex or convoluted that they need to stay on premise for now. Then, there are systems that can move to the cloud quickly as infrastructures of service. The fourth class are systems and/applications we can switch to platform as a service. We've completed this analysis and have also associated level of effort estimates for each migration. 

Congress has also required OPM to develop a new health benefits program for the U.S. postal workers in a very short time frame. We are currently working on developing an entirely new system. It may have been assumed at first that to do this would simply require some modifications to the current federal employee health benefit system, but that is not the case. There are different rules and eligibility requirements mandated for the postal service.

We are also pursuing the priorities of the Biden administration. We've built the first DEIA dashboard for the federal government. We are supporting efforts to bring in early career talent, which focuses on interns and people early in their career. 

We are stabilizing the inherited OPM infrastructure. We’ve turned on enterprise dashboards. I made it uniform so that everybody at OPM can create dashboards and display their data in an easy‑to‑use format. Having this capability helps them see their data and affords them the ability to make more informed decisions. 

On Cybersecurity and Zero Trust 

This is my second time moving an agency towards zero trust. I began it at SBA. Earlier on at OPM, I recognized given the realities of the federal budget cycle that we’d have to wait two years before I could ask for zero‑trust funding. Therefore, we submitted a request to the Technology Modernization Fund (TMF) for the funds. We were one of a few agencies that received early approval. 

We are well underway implementing zero trust. My CISO has taken the lead sharing everything about our organizational journey with the federal community. We are willing to share best practices, lessons learned, as well as roadblocks we faced and overcame. With today's cyberattacks, zero trust is the way to go to protect data. The old build a moat around your network isn’t good enough. Today, we must protect from inside as much as out. It is going to take a couple years to be fully implemented. We're doing it in stages and keeping in mind the user experience. For example, when we were at the SBA, we replaced the VPN with a zero‑trust connection. Going in this direction streamlined the process end users went through to access the agency network. The end user put in their PIV card, typed their PIN, and they were done. 

From a cyber perspective, we love zero trust because it takes a way the ability of end users to use their laptops without a secure connection. If you’re going to log on to your OPM laptop, then it's always going to be connected through zero trust. We're also able to do patching, collect performance data, and do all the things we couldn’t do under VPN. 

What I illustrated above represents the easier part of zero trust. The difficult effort is addressing more intricate scenarios such as taking Joe and Sally and then deciding Joe is going to get this level of access to these three systems at this level and nothing else, while Sally can have access to these five systems at this level. Getting to this scenario requires significant legwork and will take longer. 

On Enhancing the Customer Experience 

I want to focus on the user experiences of our employees. The pandemic shifted the federal government from limited telework to expanded telework. Last year, we equipped employees with the same office equipment at home that they have in the office -- all the same tools and capabilities. This initiative impacted our employees, and, in the end, enhanced their work experience. 

We also migrated OPM from five different productivity tools to a single enterprise platforms. With hybrid and remote work, we all needed to get on the same enterprise platform so that we could communicate. I laid out the business and cost reasons for moving to an enterprise platform. In fact, we led a pilot with the rest of the federal government. We're able to interface from productivity user to productivity user in 28 other agencies. We can have an HR specialist at OPM start an online chat with somebody at NASA. If they decide that the discussion is too complex for chat, then they can immediately hit a button and go into video call. 

On the other side, we created a digital services team within OPM with current customer experience and cloud skills. I've worked with the federal digital services team. They help, but they end up moving on to other agencies. Therefore, I saw the value of creating an internal digital services team and partnered them with the legacy team as part of our modernization effort. We're a big user of DevOps and user stories. In fact, the postal system that I mentioned to you, we have the entire agency mapping user stories in a common tool so that we can see the impact on the CFO, on our retirement systems, on our health insurance team, and on the CIO. Our director's office loves the dashboard because they can see progress and what more needs to be done. 

We're also focused on journey mapping the entire process for someone who applies to become a federal employee. They go through federal interviews. They get hired by agency A. Later in their career they change to agency B. They get married. They change their health benefits. And eventually they retire. We've mapped out that whole journey. Unfortunately, right now each of these instances are treated in their own silo. We want to make this one common journey. 

This is my fourth time back in federal service. There's a reason I keep coming. I've enjoyed my private sector work, too, but that passion to improve citizen services keeps bringing me back to the federal government.