CDLE Firewall Migration: Securing Colorado while Integrating Change Management

By Sharon Roberts, Office of Information Technology (OIT), Brian Johnson, Colorado Department of Revenue (CDR), and Kim Luallin, Colorado Department of Labor and Employment (CDLE)

July 7, 2021

Fiscal year 2020 

As part of the state’s “Secure Colorado” strategy to keep the data of Coloradans and the systems secure, the Governor’s Office of Information Technology (OIT) was asked to execute an enterprise-wide initiative to replace the current agency firewalls with state-of-the-art firewalls. The firewalls are the part of the agency network that blocks unauthorized access to the applications and systems. All agencies in the state of Colorado implemented their Perimeter  Firewall Migrations in 2020. A network perimeter firewall is a secured boundary providing the main defense of a private network and other public networks, such as the internet. The firewall detects and protects the network against unwanted traffic, potentially dangerous code, and intrusion attempts. The one agency that did not complete this initiative was the Colorado Department of Labor and Employment (CDLE). That year the pandemic struck with an unprecedented impact on CDLE. After a lengthy discussion with the agency, the decision was made to postpone the rollout until the pandemic demands diminished at CDLE.

Fiscal year 2021

CDLE eventually decided to complete their agency’s Perimeter Firewall Migration on April 17, 2021. We spent a year planning this venture and utilized some key factors of change management such as agency sponsor selection, managerial and supervisory buy-in, and the identification of where we were likely to encounter resistance. But most important was the concerted effort we put toward communication. We implemented a successful rollout primarily due to the following:

In addition to the development of these documents, we also had to ensure that a code freeze - wherein all work on adding new features is suspended - was in place the week before, that the OIT Change Advisory Board (CAB) had approved the request, and that we ran through a mandatory pilot in advance of the actual implementation date. Nothing was left to chance.

Communication was key. Up to this point we had utilized in-person meetings, Google video meetings, email, and instant messaging to convey the needs of this project. The communication method employed was dictated by both the audience and the urgency of the message. On the actual cutover day, there was a chat room established with the OIT Technical team as well as the Firewall Migration team. Status reports were issued on an established schedule throughout the day and into the evening to keep everyone informed. In the ADKAR world, this spoke to Knowledge and Ability. This process was one of knowledge sharing while building on each individual's capability to implement the change. Still, the Firewall Migration team found that it was necessary to reinforce certain messages that had been previously communicated to ensure that proper processes were followed and that any remaining pods of resistance had been adequately addressed. 

And to top it all off, we had an Xcel Energy service disruption on the cutover day. This was impossible to reschedule with the utility company. We had to ensure that computers were kept on for the power outage on Friday and Saturday to make sure both the numerous testers and support teams had access to their systems. This added complexity was an unexpected situation that the project team had to account for in planning and during execution. Again ADKAR to the rescue: 

A - The project team had to communicate with the many stakeholders that this unavoidable disruption was occurring, 

D - We had to ensure that they knew that this was not a personal choice but rather a decision to engage and participate.

K - Make sure they understood how this disruption would impact the Firewall Migration.

A - Required action on their part to work through this disruption to implement the change.

R - Reinforce that the Firewall Migration would still be a success despite this disruption.

We worked through this, plus all the issues that arose on the actual migration day that could have sidetracked this project, and followed them through to resolution. The week following the migration, OIT staffed a “War Room” to address the non-critical applications. The War Room also handled the incoming calls that ironed out all the final remaining issues.

The result? Success. But it was the culmination of a lot of effort expended by members of the OIT Technical team, the 16 Divisions of CDLE along with their Divisional Representatives, the OIT PM team, the CDLE Business Technology team, and leadership. It can’t be overemphasized enough that a commitment to constant and clear communication to all concerned was the real key to our success.

But the OIT PM team will tell you that the most important part of this entire effort was the very positive feedback that they received from CDLE itself. In addition, OIT headquarters told us that they were going to model future efforts after this project because it had been executed so well. That kind of feedback is what makes us proud to be public servants for the state of Colorado.

Want to learn more about Change Management at CDOT? Check out our improvement efforts at the Office of Process Improvement’s website!