Actionable lessons that fueled success during a challenging uptick in output demand – in an environment of change and constrained resources.
In this BI Case Study, we share the keys and actionable lessons that fueled success during a challenging uptick in output demand, while facing headwinds of change and constrained resources.
The Privacy Compliance Challenge at the FAA
The Federal Aviation Administration’s (FAA) critical mission is to provide the safest, most efficient aerospace system in the world. Essential to supporting this mission is the FAA’s duty to protect the privacy of the public and the data that the FAA collects.
BI’s daily challenge is to support the FAA Chief Privacy Office (CPO) to promote privacy policy compliance for the FAA’s large Information Technology (IT) inventory.
BI has supported aspects of the FAA’s privacy mission since 2014. Since then, BI’s privacy compliance support has shifted within the FAA. The volume, scope, and complexity of the mission have increased and BI’s internal FAA customer has changed.
Volume
Since the FAA CPO became our client, BI has supported privacy compliance for a broader range of FAA Lines of Business, adding responsibility for approximately 200 additional systems
Scope:
- Since Privacy Continuous Monitoring (PCM) compliance documents were introduced in 2019, we’ve produced these documents, which assess system privacy risk between Privacy Threshold Assessment (PTA) cycles
- BI began drafting Privacy Controls Assessments (PCAs) in March 2022 as part of our PTA and PCM documents
Complexity:
Increased volume and scope have combined, resulting in increased complexity in scheduling and logistical support. Today, the Department of Transportation (DOT) reviews BI’s PCA work after the FAA CPO submits the PTA or PCM documents.
Figure 1 – The baseline requirement in FY20 was 60 documents (orange horizontal bar, lower left). BI topped it by 20%, producing 72. Despite a sharp growth in demand over 3 years, BI has delivered – with no increase in personnel and while adding new capabilities.
The Key to Improvement: Innovation
From Fiscal Year (FY) 2020 through the end of FY22, BI’s team remained the same size. However, even with the major changes at the FAA, we increased productivity 188% from FY20 to FY22 (Figure 1.) All while also adding new capabilities.
How did we do that? In a word: innovation.
BI views innovation as a process: It begins with awareness. Awareness leads to insight. And insight leads to action.
In meeting the day-to-day challenge of supporting privacy compliance at a large, dynamic federal agency, we observed that there was an opportunity for improvement by changing the operational model at its core.
Responding to the changing needs and desires of our clie nt, one of our innovative approaches was to change from ad hoc assignments to a managed approach. This new approach linked BI resources to specific FAA Lines of Business (LOB). When making these new links, we factored in staff expertise and experience and the volume and complexity of the systems in the LOBs.
The benefits of the new operating model were immediately obvious. Rather than the ad hoc, take-what’s-next-in-the-queue model that was in place, the new operating model allowed BI team members to focus on a specific LOB and become experts in its associated nuances.
Since our staff could dig deeper into a single LOB rather than working across LOBs on a document-by-document basis, they not only gained a better understanding of their specifically assigned LOBs and the systems that support them, but they were also able to build better, more robust relationships with stakeholders within LOBs. This increased knowledge, engagement, communication quality, and exposure within the LOB.
We discovered that our focused approach made preparatory research easier, more consistent, and repeatable. Now BI is better able to troubleshoot issues, see trouble spots, and because of our deeper understanding, even anticipate potential trouble before it arises.
We discovered that preparatory research became easier, more consistent, and repeatable – and now we’re better able to anticipate trouble before it arises.
The managed assignment approach results were very satisfying, but a further positive result, as we so often find, is that improvement and innovation lead to even more opportunities for improvement and innovation. One opportunity that resulted in even greater synergy was the creation of a Privacy Schedule.
BI delivered the FAA’s first-ever Privacy Schedule in FY21. Once our Schedule was complete, we had visibility into all the PTAs and PCMs required for systems undergoing security assessments. Over the course of the year, as we became aware of new systems being assessed, we were able to add them to the schedule and track them to completion. Additionally, we added value to the Schedule by developing project management timelines. We documented and made visible each stage of the document development cycle – which made the process not only visible, but also repeatable. It enhanced continuity and communication and made it easier to train new staff on our shared process. And because the process was visible, it became transparent as to where we were in the Schedule and each document’s process, allowing management to anticipate when adjustments were needed.
“[Linda Morales] runs the entire assessment team and has her finger on the pulse of the FAA Assessments in progress, and at all stages of the compliance process.”
- Visible / Transparent: Tracking duration in each stage, depicting delays or ahead of schedule, calculating total duration in days from Kick-off to adjudication
- Efficient: The “big picture” overview based on workflow facilitates planned, efficient resource allocation and prioritized coverage (FY22 – 23)
- Scalable: Able to add and resource new work easily
-
- Able to include any required privacy compliance documents using an established workflow
-
- For example, we add Privacy Impact Assessment (PIAs) and System Disposal Assessments (SDAs) as the need arises out of the privacy compliance process
- Handles expanded tasks and new organizations: Including Air Traffic Organization and Enterprise Services Center (ESC) systems
- Provides agile visibility into management concerns: Adaptable, criteria-based Priority Flags and Override Flags
-
- Including Authority to Operate (ATO) dates and the quarter of the FY in which the ATO expires, so that FAA can align its privacy assessments with the ATO date to comply with DOT Policy
BI’s Privacy Schedule is a tool that empowers programmatic and project discipline, which is especially critical when output demand increases and resources must be economically managed.
Continual awareness and engagement with the customer, the environment and change, inevitably leads to opportunities for innovation and improvement.
“Virginia [Suazo] as the lead, supported the assessment wonderfully as well (which is no surprise – as she has made a great lead!)”
Achieving privacy compliance is challenging, but we continue to maximize results.
- Privacy is a support function, just like IT security, legal, and many other functions that support the operational mission of complex organizations
- Support functions may be viewed as “cost centers” and their budget allocations fixed with an economizing mindset
- BI understands the importance of good stewardship and optimizes the return on public money by pursuing innovation and continual improvement
- We have succeeded in delivering greater productivity for our client
The BI team has been the same size from mid-FY20 through FY23, while still increasing productivity each year, despite changes in our internal client, workload, scope, and complexity. With our Schedule, greater transparency is achieved, with its ability to show FAA leadership how long it takes BI to do “its part” of the privacy compliance work.
BI’s Privacy Schedule is a tool that empowers programmatic and project discipline, which is especially critical when output demand increases and resources must be economically managed. Adaptable to any client, BI’s Privacy Schedule allows the client to understand what work is being done, how long it takes, and to identify potential bottlenecks or trouble spots in the document production process. BI can also create a “priority score” based on common system criteria or client-provided attributes, that allows for privacy compliance documents to be ranked by priority to help drive the execution of the highest priority documents.
Among the hard realities, BI has built bright spots. While it’s a challenge to keep such a large and complex schedule up to date, BI leverages available tools to help ensure the quality of its schedule. For example, BI has set up email alerts directly from the client’s SharePoint site for privacy compliance documents so that the BI Privacy Team Lead receives an email when documents are approved at each stage of the production cycle. This simple solution helps us maintain the accuracy and completeness of the Privacy Schedule. It’s an example of using current tools to drive an effective response to an important operational challenge – BI keeps its resources up to date, tracking its work progress on hundreds of documents each year.
Collaborative Top Performers
Innovation, adaptive process creation, process discipline, and a mindset of continual improvement – all were essential components of our rise to a higher altitude in productivity. But as vital as these components were, they would have been nothing without superior collaboration. Therefore, we must emphasize another element that was key to our shared success: the contributors that made this achievement possible.
- Our client worked with us to provide essential information used to populate the earliest generations of the schedule. For the most recent iteration of the schedule, FAA CPO provided timely and actionable guidance that allowed BI to improve the schedule to further meet their needs
- Our BI colleagues in Security Assessment built the schedule and responsively made operational improvements to ensure smooth function that met the needs of the users. BI’s Senior SharePoint Developer set up the email alerts and made sure the Tracker performed as advertised
BI’s Privacy Schedule is a tool that empowers programmatic and project discipline, which is especially critical when output demand increases and resources must be economically managed.
Author
Tim Hill, Technical Writer
- Assigning specific team members to work specific LOBs
- Executing improvements to the schedule desired by the client
- Internal BI review process for Quality Assurance/Quality Control to improve quality of documents
- Effective teamwork with FAA stakeholders amid their internal role changes
Lessons Learned & Closing Advice
Here are our closing thoughts and the specifics of what we learned in thinking about this case:
- Assigning staff to specific LOBs is key in developing the necessary knowledge of the systems and to building relationships with key system owners and stakeholders, including the client. It is easier, for instance, to build strong working relationships with one or two federal analysts working our LOBs, than it is to try to work with all of them across all LOBs
- Establishing the schedule helped BI understand what the annual privacy compliance document workload would be and how it is distributed across the LOBs
- Highlighting the quarter of the FY in which the privacy assessment needs to be done is key to organizing and sequencing a heavy workload over the course of the Fiscal Year. In addition, executing our workload by the FY Quarter helps align with existing policy, which promotes compliance
- 3 years in with the Privacy Schedule, and we are stressing the process. Kick-off meetings, at the beginning of the timeline for the privacy compliance document lifecycle, drive action and set the pace, energizing the process
- We push an updated copy of the schedule to the client weekly, so they can see progress. Good communication keeps the schedule and progress visible and in front of mind for everyone
- We actively share the schedule with certain stakeholders in the privacy compliance documentation process to “stay on the same page”
Reflecting on the last three years particularly, and 8 years in total, the key takeaway is that continual awareness and engagement with the customer, the environment, and change inevitably leads to opportunities for innovation and improvement.
About the Author
Tim Hill is a technical writer on the BI team, supporting business development and strategic communications with his eclectic skillset and broad background. A 20-year veteran of the United States Air Force, his active-duty service was in information management and scientific and technical analysis and application. He complemented his military service with careers as an entrepreneur and a quality leader. Tim is an American Society for Quality Six Sigma Black Belt and holds multiple degrees, including a Master of Business Administration from Gonzaga University.
About BI
Business Integra is an award-winning, global provider of information technology, cybersecurity, aeronautic engineering, scientific and mission support services. We are committed to producing efficient and ethical results that cut costs, reduce risks, secure data, and advance human progress via cybersecurity, IT, engineering and mission support services.
Follow us on Twitter @BusinessIntegr4 and/or LinkedIn.
How to propel your brand upward and amplify its voice in galaxies unreached
HOME | NEWSJULY 31, 2023 | CASE STUDYWe are taking steps to tell our story of growth and transformation in federal contracting.Staying true to your brand while evolving with technology is essential for continued success in any industry. We are proud of our legacy as a...