About Us Our Work Employment News & Events
MITRE Remote Access for MITRE Staff and Partners Site Map
The MITRE Digest
Advanced Research
Aviation Systems
Defense and Intelligence
Federal Sector Modernization
Health Transformation
Homeland Security

Follow Us:
Visit MITRE on Facebook
Visit MITRE on Twitter
Visit MITRE on Linkedin
Visit MITRE on YouTube
View MITRE's RSS Feeds
View MITRE's Mobile Apps
Home > News & Events > MITRE Publications > The MITRE Digest >
spacer

Helping HUD Give Your Information a Safe Home

January 2008

House on a cd

If you want to know what the U.S. Department of Housing and Urban Development (HUD) can do in a community, visit Discovery Park. An 11,000-square-foot facility located on the campus of Sully Elementary School in Sterling, Va., Discovery Park is an outdoor playground in which children experience science through play and exploration of their environment.

A grant from the Community Development Block Grant program, one of HUD's longest-running programs, helped Discovery Park become a reality. But the process of winning a grant isn't without potential pitfalls. Block grant applications contain sensitive personal and financial information, and no one wants to see it fall into the wrong hands.

"Block grant files are required to be kept separately and in a secure setting," says Jan Boothby, who manages the grant program for the Loudoun County (Va.) Department of Family Services. "HUD is very security-conscious, and so is Loudoun County."

That awareness—and prompting from a key lawmaker—moved HUD to beef up its process for keeping information secure. For help in that mission, the agency turned to MITRE, which has extensive experience in guiding large-scale government IT systems through major change. The work has paid off, as HUD's information security ratings have moved from the bottom to the top of the class in a relatively short time.

Secure from the Start

For almost three years, a team from MITRE's Center for Enterprise Modernization, which works with civilian government agencies, has helped HUD make the wide range of information it processes less vulnerable to misuse. Under experienced leadership—initially from Donna Grubb-Hewlett, a MITRE project leader, and then David Hollis, a principal information systems engineer—the MITRE team helped HUD weave information security measures into every aspect of the agency's business.

In the process, the MITRE team has helped bring about a cultural change in what Grubb-Hewlett calls "an incredibly unrecognized agency with a very noble mission." Where information security may once have been viewed by some as peripheral to HUD's main mission, it is now included in a five-year strategic plan (which the MITRE team helped craft) and its enterprise architecture. No IT system HUD uses goes into production now without some kind of information security provision built in. And HUD's Information Security Office has been realigned so it can address the most important aspects of an information security program. For one thing, the office now communicates directly with the chief information officer (CIO) about its progress, instead of having to go through others.

"The difference we've made is to help them take the theory from the Information Security Office out into the program areas and to let them see the practical impact," Hollis says. "HUD is in a better place now to move all its contractors to include information security and to effectively submit security plans."

It wasn't at all clear that such rapid progress would be possible two years ago.

"Stakes in the Ground"

HUD has many of the same challenges as MITRE's other government customers—an information technology security program with sensitive data to protect. For instance, the agency processes some 600,000 transactions a month from people seeking mortgage loans from HUD. Protecting that information is the job of HUD's IT Security Office. Traditionally, according to HUD Chief Information Security Officer Patrick Howard, the security team delivered "systems access, automated data processing security capability, and maybe a little firefighting occasionally, but no real long-term view of how security should be implemented."

That was before Rep. Tom Davis, a Virginia Republican, came out with his 2005 ratings of how well federal agencies were measuring up to the standards set by the Federal Information Security Management Act (FISMA) of 2002. For HUD, the news wasn't good; its FISMA grade that year was D+. It was a wake-up call for the agency, and Lisa Schlosser, who took over as HUD CIO in February 2006, moved aggressively to respond.

"We finally just got to the point of realizing there was something broken here, and that we needed to do something to get into compliance with FISMA," says Howard.

FISMA compliance was certainly important, but the MITRE team working with HUD saw broader issues. Interviews the team conducted throughout the agency revealed some confusion over the direction HUD's IT Security office was taking and how the staff could best comply with the security measures they were being asked to introduce. The way to remedy that, MITRE's team told HUD representatives, was to look at information security as a long-term strategic objective, with management and operational functions that were equally as important as technical knowledge.

"We told them that if they really wanted to stop putting out fires and have a solid program that's going to do what it's intended to do in the first place, they had to put some stakes in the ground—they had to build a foundation," Grubb-Hewlett says. "And they listened."

Security—Not an Add-on Item

The foundation was built into a new enterprise architecture—one that locked information security measures into HUD's business and technical framework—and with the five-year strategic plan. The blueprint includes new policies and procedures based on the managerial, operational, and technical aspects of information security. It lays out plans to train HUD employees in information security procedures and to ensure they have the proper credentials (such as updated security clearances) to execute them.

Another major step in elevating information security to HUD's forefront was in opening freer channels of communication; MITRE is uniquely positioned to help bring that about. There were a number of groups in HUD that may or may not have been talking to each other, but they all talked to MITRE. And the MITRE team told each of them the same thing: Unless they made information security a top priority, their ability to carry out their mission would suffer.

"When we worked with HUD, we always gave them consistent information," says Karen Quigg, deputy project manager for MITRE's HUD team. "We helped them understand the interconnections between what they were doing and helped them with ideas on how to make some of those cultural changes that had to take place for the project to be successful."

At MITRE's suggestion, the IT Security Office was reorganized into several different branches, each assigned with addressing one of the security priorities MITRE and HUD identified. Another component of the strategic plan calls for the Security Office to provide others in the agency more guidance on how to implement security measures, and to make itself more accessible for those with questions or concerns.

"Part of the service [the Security Office] provides is to help their colleagues understand what security's all about and why it's important to the mission of the agency," says Grubb-Hewlett. "It's not something you add on later. You need to include this in your planning process."

Making the Grade

At HUD, the process of institutionalizing information security continues, and as employees there gain greater awareness, they've become better equipped to spot vulnerabilities. But Howard likes to believe that HUD has "turned the corner"—and gives MITRE a generous share of the credit.

"Had MITRE not been around, it just wouldn't have happened as fast," he says. "If that support had not been good, or somehow may have misled us, we would have lost probably a year, because we would have had to turn the clock back, so to speak, and fix things that were broken. But since we had the MITRE team, which has a very good knowledge of government across the board and what others are doing in the compliance area, we were able to get the most important aspects early on."

Meanwhile, one of the most concrete indications of a turnaround came last year. When the FISMA ratings for 2006 were released, HUD received a grade of A+. Putting the achievement in perspective, Hollis says the improvement means that, "Compared to its peers, HUD has taken steps to improve information security, and they've done a better job. I think we helped in an area of their business that's critical to their success in terms of public trust, using information technology as an enabling force to accomplish its mission. It has strengthened HUD's standing in the government and with the public. To go from nothing to something is a long way."

—by Russell Woolard

Related Information

Articles and News

Websites

Page last updated: January 2, 2008 | Top of page

Homeland Security Center Center for Enterprise Modernization Command, Control, Communications and Intelligence Center Center for Advanced Aviation System Development

 
 
 

Solutions That Make a Difference.®
Copyright © 1997-2013, The MITRE Corporation. All rights reserved.
MITRE is a registered trademark of The MITRE Corporation.
Material on this site may be copied and distributed with permission only.
IDG's Computerworld Names MITRE a "Best Place to Work in IT" for Eighth Straight Year The Boston Globe Ranks MITRE Number 6 Top Place to Work Fast Company Names MITRE One of the "World's 50 Most Innovative Companies"
 

Privacy Policy | Contact Us