Q&A: Michigan CIO Laura Clark Embarks on a Zero-Trust Journey with MILogin

STATETECH: Michigan’s MILogin single sign-on program seems to be a big success. What can you tell us about it?

CLARK: MILogin started as an executive order during a prior administration. Gov. Gretchen Whitmer has continued to prioritize and enhance its capabilities from where it began as a single sign-on portal with a couple of smaller applications. In 2014, we had about 2,400 users on that system.

We’ve expanded it to more than 300 application interfaces behind the MILogin portal for 16 different agencies, and we have now over 9 million digital identities stored in that service. Pre-pandemic, we had about 25,000 daily logins through MILogin. During the height of the pandemic, we hit almost 2 million. And now, we’ve leveled out at around 800,000 each day.

We know that this is the first point of interaction with our customers, and that’s one of the reasons we’re focusing on usability through a human-centered design approach and pushing out self-service abilities for our end users, so they can access government services when and where it is convenient for them.

EXPLORE: Here are 3 best practices for state agencies to strengthen identity protection.

STATETECH: Do your single sign-on portals require getting agency buy-in to have other applications participate in identity and access management programs?

CLARK: Michigan is highly centralized, so our service model is a little bit different. We support all of the agencies in application development. We have a policy that requires state applications to use MILogin as the identity and access manager. With all policies, there are exceptions, and we also have a lot of systems that were already built and had their own identity and access management processes in place. As those systems go through modernization, major modifications or enhancements, that’s when we’re trying to onboard those to MILogin.

We’ve realigned the MILogin team into our Cybersecurity and Infrastructure Protection organization, but it started in our Center for Shared Solutions. It’s all about identity and access management, so we’re on the journey to zero trust. MILogin is going to be one of the primary components for us to be able to implement zero trust, which is being able to identify and manage who’s accessing our systems, our data and our devices.

Click the banner below to learn about getting zero trust architecture right.

STATETECH: What are future milestones for MILogin? What will it look like in a couple of years?

CLARK: We conducted an assessment on human-centered design for MILogin. We’re continuing to build out how our residents will interface with our systems through MILogin. We’re continuing to build out self-service, but we’re also looking to ensure that the branding and the user interface are consistent with the overall look and feel we have with our Michigan.gov platform and other digital applications.

We’re also looking at how to do a more efficient job with identity proofing behind the MILogin platform. We hope to start that in-house. That helps address concerns around fraud and related challenges.

STATETECH: How often does the state CIO get to make such a public case for IT spending, like yours recently featured in The Holland Sentinel? What is the IT modernization budget specifically going toward, and how does that build on your future priorities?

CLARK: We have an IT Investment Fund board. We work with our state budget office and we have representatives from several of our business agencies. We work together as a board. Our agencies present projects that they would like to be considered as part of our annual budget. Each year, we go through this process where agencies will submit projects that they would like to request modernization funding for, and as a cross-functional or cross-agency group, we look at the projects that are being proposed and align those and score them on a set of criteria that the board sets to say, “Is this hitting the primary modernization criteria that we want? How is it looking at usability? Is it impacting multiple service lines? Are we consuming shared services with these modernizations?”

Once the board completes the scoring, we make a group recommendation to the state budget office and the governor’s office on what we think should be included. To me, this is a great opportunity for us to partner with our agencies to ensure we’re supporting what they need from a digital strategy.

This is a unique model for the state of Michigan, to be able to work with our agency partners to come up with what should be prioritized and requested in our budget. I appreciate the willingness and the time it takes for our partners to review this. It’s no small effort. It takes many days and many hours for us to review proposals and complete the scoring.

Over the past couple of years, we’ve had quite a significant amount of money be put toward the IT investment fund, and I think that shows a strong commitment by both the governor’s office as well as our legislative partners, because it takes both of them to get this accomplished.

LEARN MORE: How state and local governments fortify defenses to reduce cyber insurance costs.

STATETECH: Michigan hosted the Michigan Cyber Summit last fall, and there seemed to be consensus that state governments aren’t interacting enough with local governments.

CLARK: All states and local agencies definitely agreed that we need more programs available and more communications available across the multiple layers of government. In Michigan, we have a long-standing history of thinking of cybersecurity from a digital ecosystem. A lot of states call it the whole-of-state approach.

The Michigan Cyber Summit gives us a really good platform to bring in not only our state partners but also our vendors and industry partners in one place. They interact with decision-makers to hear concerns across the board. It gives us a great platform to have a lot of communication.

We host a monthly Cyber Partners meeting. The Michigan Department of Technology, Management and Budget coordinates and organizes these meetings as a community of interest. We have about 100 people joining those monthly meetings. We bring in federal partners and others from the state, such as our state police, the Department of Military and Veterans Affairs, and the National Guard. We share information and best practices.

If there’s an event, like a zero-day event or something like that that’s happening, we’ll bring in experts to help talk through what’s being seen out in the wild. What are some of the remediation steps? We also have the Michigan Cyber Civilian Corps, which is our legislatively approved group of civilian cyber experts who can help respond to a cybersecurity event from around the state, such as a ransomware incident.

We’re building out our state website to host more resources and tools for our local entities as well as for our residents. We’re creating a centralized place where residents know that they’re getting good materials and good assistance to help make them more cyber resilient in their home lives.

STATETECH: What are you looking forward to in this year’s midyear or annual National Association of State Chief Information Officers conference?

CLARK: The NASCIO conference is a great opportunity for me to connect with my peers and to have some conversations, and to see where we are with different challenges — to see if Michigan is in alignment, ahead of or behind some of the other states. We like to share best practices or what we’re learning as we’re doing implementation. I’ll share things out, or I’ll ask questions of my peers if they have any lessons learned.

There are always a lot of follow-up conversations and questions from those discussions. It is also a great opportunity for us to interact and learn from our industry partners to get the latest information on their products and to understand where they are going. It’s an important place for us to see trends and to consider future investments that we can build into our plans.

DISCOVER: What local governments need from federal cybersecurity grants.

STATETECH: Until recently, you served as both CIO and chief security officer for Michigan. What insight did that offer?

CLARK: As you’ve seen in NASCIO’s state CIO list of priorities, cybersecurity continues to be at the top.

Having a cybersecurity background, or at least an understanding of the cybersecurity landscape, really is important for all IT leaders.

We’re grateful that our governor and legislature have prioritized key investments to build out our cybersecurity defenses, to put money directly toward our zero-trust architecture and to hire additional IT staff to support our cybersecurity team. We recently got approval to hire 19 new cybersecurity professionals here in the state of Michigan.

I was the chief security officer for a couple of years, and then moved into being the CIO. I believe this gave me a strong foundation in cybersecurity, and it helps me to make cybersecurity a primary focus of our organization. If I could make a recommendation, I would tell everybody to spend six months or longer in cybersecurity to really comprehend and understand the challenges confronting their teams.

Keep this page bookmarked for our coverage of the NASCIO 2023 Midyear conference. Follow us on Twitter at @StateTech and the official conference Twitter account, @NASCIO. Join the conversation using the hashtag #NASCIO23.