Exit Interview: CIO Dave DeVries leaves post-breach OPM on solid footing

Dave DeVries at the 2016 Public Sector Innovation Summit. (FedScoop)

Share

Written by

When former acting Office of Personnel Management Director Beth Cobert asked Dave DeVries in 2016 to take over the agency’s beleaguered CIO role, his initial answer was no.

At the time the principal deputy CIO at the Defense Department, DeVries had his sights set on retirement from federal service and a move back home to Michigan. But it was his sense of duty, he told FedScoop, that would sway him to accept the chief IT position at OPM, just years removed from the most catastrophic data breach in federal history.

Now a year later, DeVries will finally step away from federal service Friday “out of family consideration,” and he’ll begin a new role as CIO of Michigan. He leaves OPM — an agency with a CIO’s office not long ago beyond disrepair — on solid footing and prepared to lead the federal government in the plunge toward modernization.

“You just know that it’s time, and I have some family considerations there that I need to take care of now,” he told FedScoop in one of his final interviews as OPM CIO. DeVries called his decision to leave, however, a hard one, “just because of the various projects we have underway. … There is no good time to exit out of the federal space. And I weighed long and hard on this one here.”

A year isn’t much time to make meaningful change in a federal agency, especially while funded by a continuing resolution and during the “friendly tension” of an administration change. But DeVries points to his ability to rebuild his team within the OPM Office of the CIO and refocus that organization around OPM’s core business as his biggest accomplishments.

“This is about OPM and the businesses that we do,” he said. “So we do hiring. How do we attract young people in from college? How do we attract them in from other walks of life? How do I bring in somebody that was maybe in government, went back out to the private side, how do I bring them back in again to work in the government sector? How do I maintain them throughout that?”

On top of that, there’s the businesses of retirement and benefits services, as well as background investigations — a process that is heavily rooted in IT and undergoing a major overhaul after the security breaches in 2015.

“All of that is what OPM does — that is what OPM should be known for, that’s what we do here,” DeVries said.

Also during his short tenure, DeVries hired OPM’s first deputy CIO, Rob Leahy, who will take over as acting CIO. Likewise, he continued to build a team around OPM CISO Cord Chase as the agency rededicated itself to becoming a federal cybersecurity leader after the hacks.

So while DeVries can count his fair share of items checked off of OPM’s list of IT needs — he was able to close four of the agency’s nine data centers in the past year, with more scheduled to shut down soon — his real impact can be felt in how the OPM of today thinks about IT and the role of the CIO.

“The CIO doesn’t need to own everything, but the CIO needs to be involved in it,” he explained.

“Why? Because at the end of the day, it’s about government information. And just as we were the stalking horse for what happens if you don’t do the right stuff, we have to be the stalking horse for ‘this is the right way to do stuff.'” DeVries said. “I didn’t say I need to own all of that, I didn’t say I need to have it in my building here. But I need to know where it is and I need to know that it is properly protected and only the right people can get to the information that they’re authorized to get to.”

That last piece is most crucial, and will continue to be, as OPM distances itself from the agency it was when the information of millions was stolen from its systems in 2015. It’s a change that’s as much about culture and people as it is the technology.

“Everything that we do here at OPM … takes people and IT,” he said.

OPM has made progress moving some of its applications to the cloud, but DeVries said there has been slow movement for other systems because “I need to have it FISMA-high protected. That’s my one mandate. For a lot of my important data, I can’t go to that cloud yet because we don’t yet offer that. … By the end of this calendar year, I think we might have something there for us.”

And, OPM has been perhaps the federal government’s biggest proponent of the Department of Homeland Security’s Continuous Diagnostics and Mitigation program, which DeVries called “a whole new way for government to look at things.”

But the biggest change comes culturally, he said.

“It’s from the top down. Leadership is involved here,” DeVries said. “Day one from when I walked here to this Friday when I walk out, I’m not afraid nor ashamed to bring up bad news. So if something is happening out there, I can bring it up and it gets resolved.”

OPM and DOD, the two places DeVries spent the entirety of his federal career, aren’t much alike in top-level mission. But as he retires from the federal government, he said his job was almost identical at both.

“As I laid out what the mission of OPM is, that’s what I did inside the military too,” he told FedScoop. “I took those jobs where it made sense to promote the missions of DOD, the services, and if you can bring about change and move that mission along, then I think it’s on us to do it. So I came here, and it’s been fun, and I’m so glad I did come here.”

-In this Story-

Beth Cobert, CIO, Dave DeVries, Office of Personnel Management, OPM, OPM breach