In Utah, a law enforcement agency once assessed some new artificial intelligence software that would help officers fill out forms quickly. The Utah Department of Technology Services inquired about the privacy and security protections of the application. It didn’t have any, so DTS did not approve the purchase.
“We have a very decentralized technology decision-making process in Utah,” said Utah CIO Alan Fuller Tuesday on a panel at the NASCIO 2025 Midyear Conference, hosted by the National Association of State Chief Information Officers.
“The budget is not centralized; the budget goes to the agencies,” he added. “So, we have 25-plus different agencies who all make decisions, and they would do so without guidance if we didn’t have standards in place for enterprise architecture.”
In a decentralized state IT environment, states may promulgate enterprise architecture standards primary for security but also for effectiveness and efficiency, said Fuller and Michigan CIO Laura Clark during the NASCIO panel.
“We look at what we can afford to maintain within our environment, so we take a step back and say, ‘Even though it’s technically possible or feasible, it has to make sense for our enterprise architecture,’” Clark said. “We move toward more sustainable, smaller, distinct purchases to ensure that we meet affordability and availability requirements.”
Click the banner below to follow StateTech on social media for more news for state CIOs.
Enterprise Architecture Guides Workplace Efficiency
Clark emphasized that the Michigan Department of Technology, Management and Budget vets solutions for consistency with the state’s enterprise architecture standards.
“And we’ve worked with our service owners or the platform owners to actually do the security assessment and review against our risk policies and requirements based on enterprise architecture,” she said. “If somebody is looking to deliver something faster and they use one of those prevetted solutions, then they can actually adhere to the controls. The process for the security evaluation is quicker.”
Such arrangements reduce the burden on staff and optimize licensing costs while maintaining a standard footprint, she said. When possible, using fewer tools to do the same job will result in greater efficiency and deeper expertise in those solutions.
“Just because something can technically do the job and meet the business need doesn’t mean it’s necessarily the right choice in the context of the other products that are already in place,” Clark said.
In Michigan, an IT enterprise architecture team designs a roadmap and facilitates support of it, she said.
“We can look at things before purchase,” Clark said. “We work with our procurement team.” Together, they assess purchase proposals against the existing IT environment to see if something already exists that can meet the need.
“It also speeds up the amount of time required for us to deploy things in our environment ... and potentially yields costs savings for us,” Clark said.
Click the banner below to explore how digital transformation can improve citizen services.
Security Assessments May Change the Enterprise Architecture Baselines
Fuller and Clark agreed, however, that innovation may prompt their government IT agencies to rethink how things are done. “There is room to improve legacy business processes and update applications,” Fuller said.
“We look at the process of understanding what our state agencies are trying to accomplish, what they need to do for our residents and how to align with technology to meet those goals,” Clark said.
Michigan at one time looked at modernizing an application with a web solution, Clark said. But once officials began the process, they realized that the application would not have all of the desired functionality.
She recalled: “The application development team said, ‘Well, you need to change the configuration of that tool.’ And we had this conversation about it. ‘OK, how does this relate to our guiding principles with enterprise architecture? Because I’m purchasing modern tools to help prevent modern attacks from happening to me.”
And so, Michigan changed its mindset around managing legacy applications to adjust with the reality of the situation, Clark said.
Fuller agreed that agencies should modernize legacy applications with technology that is more secure. In Utah’s case, it previously invested in a lot of open-source solutions.
“These were great, all of the tools for each of those components were great, but we found that it’s really difficult to upgrade all of the little libraries that drive those solutions. Over time, we developed a lot of security vulnerabilities,” Fuller said. “From an architectural perspective, we know why it would be penny wise and pound foolish” to continue to support those solutions when they produced significant security challenges.
