- June 2015 (4)
- May 2015 (3)
- April 2015 (4)
- March 2015 (4)
- February 2015 (4)
- January 2015 (3)
- December 2014 (1)
- November 2014 (4)
- October 2014 (3)
- September 2014 (4)
- July 2014 (4)
- June 2014 (3)
- May 2014 (4)
- April 2014 (3)
- March 2014 (4)
- February 2014 (3)
- January 2014 (2)
- December 2013 (3)
- November 2013 (3)
- October 2013 (5)
- September 2013 (3)
- August 2013 (4)
- July 2013 (2)
- June 2013 (4)
- May 2013 (3)
- April 2013 (4)
- March 2013 (2)
- February 2013 (5)
- January 2013 (3)
- November 2012 (2)
- October 2012 (4)
- September 2012 (5)
- August 2012 (5)
- July 2012 (2)
- June 2012 (4)
- May 2012 (3)
- April 2012 (4)
- March 2012 (1)
- February 2012 (4)
- January 2012 (2)
- December 2011 (2)
- November 2011 (4)
- October 2011 (3)
- September 2011 (4)
- August 2011 (4)
- July 2011 (4)
- June 2011 (5)
- May 2011 (4)
- April 2011 (4)
- March 2011 (2)
- February 2011 (3)
- January 2011 (3)
- December 2010 (3)
- November 2010 (4)
- October 2010 (3)
- September 2010 (3)
- August 2010 (3)
- July 2010 (3)
- June 2010 (1)
- May 2010 (2)
- April 2010 (2)
- March 2010 (2)
- February 2010 (1)
- January 2010 (1)
- December 2009 (1)
- November 2009 (1)
- October 2009 (2)
- September 2009 (1)
- August 2009 (2)
- July 2009 (1)
- June 2009 (2)
- May 2009 (1)
Tags: Application Development, Collaboration, Desktops, Laptops, Printers, Document Management, Enterprise Applications, Green IT, Open Source, Security, Services
I'm all for shaking up Fed IT. So, when Dan Tangherlini launched 18F, GSA's internal innovation hub, he grabbed my attention. More than a year later, seemed like a good time to check in on GSA's geek squad. The question, is the 18F experiment working – Fairytale or Frankenstein? I decided to ask around – talking to Feds and directly with 18F.
The program’s seed funding came from GSA’s revolving capital fund. 18F will pay back that investment by selling fee-for-service projects to agencies. As the program matures, 18F explained its focus on making a lasting difference – getting roots and giving wings to engagements. PIFs are hanging in D.C. longer – the 12-month term limits are history. 18F explained that a year just wasn't enough to really make a difference.
When I asked about successes, 18F pointed to analytics.usa.gov. It’s a pretty cool site that tells you in real time how many folks are visiting Federal websites – no lightning bolt, the weather service is consistently top of the pops. Cool, but not exactly transformational tech stuff that enhances fundamental government efficiency. 18F noted that Philadelphia’s showing analytics.usa.gov some brotherly love -- utilizing the code to provide web visit transparency to its citizens.
I did speak with some other Feds, who pointed to the work/dashboard page on 18F’s site. Interesting, but difficult to map from here to groundbreaking innovation.
However, the 411 on 18F is mixed. While Ex 18Fers sing the program’s praises, a series of Fed IT execs grumble the glossy sheen doesn’t reflect reality. They say 18F’s running amok. Agency "sponsors" don't know where to find their PIFs or quite what they do. Folks tell of an arrogant DNA – characterizing 18F consultants as patronizing and demeaning. "Seems they think they're smarter and treat us like we have no idea what we're doing." "What have they actually accomplished, beyond the website tracking thing?”
Folks also have questions about the cyber consideration – "if we didn't have to follow the rules, we could all move a lot faster too." “Prototypes built in minutes don't cut it when our bacon's on the line.”
I put these observations directly to 18F – they seemed aghast. They feel they’re super accountable. They note every agency has a 30-day-out clause. All work is structured in iterative cycles. So, if you don’t like 18F, here’s your chance to 86 them. 18F noted that agile is a leap of faith for anybody that hasn’t done it before – there’s comfort in a laying out a traditional waterfall timeline if it’s what you know. In fairness to 18F, based on GAO reports, waterfall has left much of Fed IT under water to date.
Responding to the arrogance accusation, 18F says they’re not trying to play “hero ball.” “We're not here to tell folks that they are doing it wrong – we want to be sensitive.”
Industry has real questions too. Companies feel 18F’s competing with the private sector – leveraging an unfair advantage to shill for work inside the government.
Ironically, former 18Fers do a much better job telling the 18F story than today’s team. 18F is committed to new ways of doing things – agile, minimal viable product, open source, tech sprints, etc. Former 18Fers say that if agencies won’t embrace these principles, 18F simply won’t work with them. That might explain the perception of arrogance.
As I said, it’s a pretty confusing situation. First off, if I might be so bold, 18F could use some real PR support. That said, the tension over 18F seems to be a quarrel between the past and the future of Fed IT. Is 18F perfect? Likely not, but they're surfacing new ideas – which has to be a good thing. The tension between traditional IT and smarty pants consultants is shake things up – and ultimately that’s good for Fed IT efficiency. We clearly need increased accountability and transparency in the equation – how and where is 18F delivering value – how much and at what cost? Is there an expiration date on the experiment?
It’s impossible to talk with everybody who’s had experience with GSA’s geek squad – so please write in with your feedback.
Until we hear more from you – it’s WT18F? TBD…
Smokey the Bear says, “Only you can prevent wildfires.” Today, that wildfire is the OPM breach. Yesterday it was IRS. The day before that, it was Snowden.
Tomorrow, it’ll spark up somewhere else.
Federal cyber pros are sounding the alarm. They are spending too much time fighting cyber fires. The old approaches and point products aren’t working – agencies need real change and a holistic approach to fight today’s threats, as well as new challenges smoldering for tomorrow.
Fanning the Flames
According to recent research, 93 percent of Federal executives indicate cyber defenses need significant improvement, but only 56 percent are assessing their networks daily to analyze and address security risks.
Einstein doesn’t look so smart right now – understand the intrusion detection system held the door open at OPM. CDM wasn’t enough. Fire likes oxygen – how do agencies choke the flames?
Dousing the Fire
An ounce of prevention is worth a pound of cure – and most cyber pros agree that an effective cyber posture is a combination of people, processes, and tools.
Many are turning to the NIST Framework for Improving Critical Infrastructure Cybersecurity as a comprehensive strategy to prevent the fire drills. The framework was developed in a year-long, collaborative process between industry, academia, and government stakeholders. It’s designed to work in any enterprise – public or private.
Want to learn more about the NIST Framework? Check out the abridged version. This Framework assessment tool helps agencies determine your cyber security capabilities and set goals for your future defense. NIST suggests organizations use the Framework to:
Stop, Drop, and Roll
Don’t forget to test your smoke alarms. And if they go off, don’t ignore them. This said, alarms and point products won’t keep you safe, and won’t keep you off the front page of the Washington Post. Check out the Framework to jump start your comprehensive, integrated cyber defense. Smokey's smiling.
Not sure if he's a coffee or tea drinker, but I do know Tony Scott's joining us for breakfast this Wednesday at the Cloud Computing Brainstorm at the Newseum. The Federal CIO will set the table for the half-day cloud chow down with his morning keynote address.
If you’ve got an appetite for cloud, Wednesday's Brainstorm's a tapas feast – nine tasty tongue tempters and untethered by 2:00 p.m. to trounce the traffic. With 600 govies registered, you'd better arrive early to get a seat at the table.
Here's the menu:
1st Course(s) – your pick. It's FedRAMP Fast Forward for industry. Working session on how to increase FedRAMP efficiency. Or, for the govies, join us for the Data Center Exchange FITARA implementation planning breakfast with Ben Rhodeside, tech lead from Congressman Connolly's office, and Ben Sweezy from OMB.
2nd Course – Yours truly – preview of the new Gov Cloud Shopper functionality
3rd Course – Tony Scott. What's new in Federal cloud – with a side of FITARA implementation planning
4th Course – Building the Cloud Business Model: ITA/Commerce, EPA, FCC, and USDA
5th Course – Trusting the Cloud: GSA, NIST, and Air Force
6th Course – Hybrid Future: Army, IRS, and ITC
7th Course – Anil Karmel from C2 Labs and the NIST Cloud Security Working Group
8th Course – Cloud Computing Caucus Advisory Group – industry perspectives
Dessert – NIST Cloud Security Working Group meeting – featuring a keynote from Jim Reavis from the Cloud Security Alliance
We're embracing a progressive theme for the party – the Cloud Caucus Don't Be a Box Hugger report provides our backdrop. MeriTalk's also releasing new research on DoD's Cloud Deployment plans.
Breakfast with Tony Scott and all of Uncle Sam's best cloud chefs. Make your reservation now. See you Wednesday – I'd arrive hungry and early.
Tags: Application Development, Data Center Management, Document Management, Networking, Project Management, Security, Services
Action packed this week. FedRAMP mass confusion. Capitol opportunity to get serious about FITARA.
But back to GSA's comments – two factors here. First, the FedRAMP PMO says it's drowning in rubbish submissions from CSPs. Babysitting poor submission's sucking up PMO bandwidth and choking off the supply of certified CSPs. But, if CSPs don't need to get FedRAMP to win deals, merely to say they're in process, there'll be a whole lot more incomplete and poor submissions on the way to the FedRAMP PMO. Second, what smart CSP's going to spend the $4-5 million – not to mention the anguish of the exercise – to go through the FedRAMP process, if it's not required? One additional thought. GSA says it's concerned about limiting competition. Doesn't FedRAMP limit competition by design?
Think GSA needs to reconsider its position. It's not just the vendor community – the Hill and GAO sitting up and paying attention.
Heads up, there's a little publicized Oversight and Government Reform IT Subcommittee hearing on the implementation plan for FITARA at 2:00 p.m. EST on June 10th. Witnesses Tony Scott, OMB; Dave Powner, GAO; and Richard Spires, former DHS CIO – and long-time FITARA champion.
We're all curious to see how this plays out. The fact that appropriators no funded Digital Services, makes you think the Hill's serious about putting some muscle behind FITARA. Some see Digital Services as an end around some CIO shops. Here's a wish for the hearing – hoping that we institute a FITARA scorecard. KPIs:
-Percentage of projects delivered on time
-Focus on incremental approach – percentage of projects scheduled for delivery within six months
-Percentage of IT contracts signed off on by the CIO
-Data center efficiency metrics
Now for the dismount – let’s finish as we began with FedRAMP. It’s ironic that almost a year to the day, after VanRoekle’s June 4 mandatory FedRAMP-compliance deadline came and went – like Obama’s line in the sand in Syria – even GSA is questioning the program’s raison d'être and fundamental viability. The statistics say it all – this time last year, there were 16 FedRAMP ATO’d CSP offerings – from 13 vendors. Today, there are 36 – from 29 vendors. Of those ATO’d CSP offerings, 17 came through the FedRAMP PMO and JAB process – 16 from agency the FedRAMP process. A year ago, there were 11 CSPs in the GSA JAB pipeline. Of those CSPs in the pipeline, four ade it through the process in the last year. The remaining seven are still in the pipeline. No matter where the ATOs came from, a total of 36 certified CSP offerings – from 29 vendors – is not nearly enough after more than three years.
The FedRAMP Fast Forward group met on Wednesday to talk about FedRAMP fixes. It’s too early to turn in the papers, but here’s a look over the shoulder at some early suggestions.
Build a capacity and through-put model for the FedRAMP PMO and JAB process based on today's resources. Publish specific metrics on how many CSPs the FedRAMP PMO and JAB can process in a year. At each phase of the process, state the FedRAMP PMO and JAB SLAs to CSPs from submission to response. This will take the magic out of the machine and allow us to measure performance and allocate resources appropriately. I hear your cries. What if the CSP submissions are rubbish – how’s the FedRAMP PMO supposed to meet its SLAs? Try this on for size – if the submission is materially deficient – and we need to quantify that – then the CSP is disallowed from resubmitting for one year. Tough love – and lawyers will get involved. But we need some more fiber in this diet.
Watch this space for more recommendations from the FedRAMP Fast Forward.
Hope to see you at the Cloud Computing Brainstorm on June 17th.
Never a dull moment in Fed IT. Let's hope the FITARA implementation plan is FedRAMP compliant – something has to be...
Tags: Application Development, Data Center Management, Database Management, Enterprise Applications, Mobile Computing, Open Source, Project Management, Security, Services, Storage, Supply Chain Management
Forget tuning in for the Indianapolis 500 this weekend. All eyes trained on the Great FedRAMP CSP Acquisition 500 right now. Smaller companies that pioneered the FedRAMP approval process are selling quicker than Express Lane traffic on the Beltway. EMC's eating VirtuStream. CSC acquired Autonomic Resources. QTS quaffed Carpathia. And, we've only in the first lap. We're going to see a lot more of the FedRAMP frontrunners lapped up as the IT industry giants realize they need FedRAMP – but flinch from the traffic, complexity, and cost of the certification process. What's the future of Clear Government, CTC, EconSys, SecureKey, Vazata, and more?
Running Into Traffic
The Cloud Computing Caucus Advisory Group annual report, Don't Be a Boxhugger tells us, as of May 2015, just 35 products were certified as FedRAMP compliant, with another 40 at one stage or another in the review process, and many, many more waiting to engage in certification. According to CSPs, the average cost to complete FedRAMP certification is between $4 million and $5 million. It takes around 18 months to get through the process. In April 2014, 24 CSPs were awaiting certification. One year later, 16 of those same CSPs were still in the pipeline awaiting approval according to the FedRAMP OnRAMP. Each FedRAMP certification submission typically entail 1,000 pages of technical and legal documentation. It's the importance of the certification to Federal agency buyers and the complexity of the process that's fueling the FedRAMP CSP buying race.
As more of the bigs jump into FedRAMP, it's going to change the feel of FedRAMP. Today, it's a cottage industry, that trades on relationships. Companies in the pipeline are more concerned about managing relationships with the FedRAMP PMO – so they can cash in on their certifications. Many of those companies are less concerned about how FedRAMP works as an operating model, the costs associated with maintaining their ATOs, and broader government-wide adoption rates. Too many that have made it through the process see the program's complexity as an effective barrier to entry that wards off competition on the track.
Oil on the Track?
A host of questions hang over scalability of the FedRAMP process – how can the program office manage the deluge of new CSPs that want to get through the process? We understand that the FedRAMP PMO currently spends as much time and money maintaining ATOs for the handful of CSPs already through the process – which means the program cannot scale.
Further, word is CSPs are running into challenges with the alternative agency route to FedRAMP certifications – as those agencies are bristling at the cost associated with managing those certifications. How can the FedRAMP PMO manage the volume without adequate funding? If there aren't enough cloud options, how's the government supposed to move to the cloud? The requirement to move to FedRAMP Rev 4 raises additional questions for industry and government alike.
FedRAMP Fast Forward
Industry wants a front seat in FedRAMP. That's why MeriTalk, working collaboratively with the FedRAMP PMO at GSA, is hosting a new industry working group. FedRAMP Fast Forward provides a venue to support, inform, and accelerate FedRAMP and broader cloud adoption across government. The group's structured in three workstreams:
1. Technical Standards and Process
2. Rules, Policy, Interagency Collaboration, and Communications
3. Training, Education, and Transparency
Interested in learning more? Download the working notes from the kick-off meeting or drop a line to firstname.lastname@example.org. The group will host a breakfast meeting at the MeriTalk Cloud Computing Brainstorm on June 17th.
And speaking of traffic, the Brainstorm features a morning keynote by Tony Scott, NIST Cloud Cyber Security Working Group session. Cloud Computing Caucus Advisory Group panel, as well as the FedRAMP Fast Forward session – so it's going to be bumper to bumper at the Brainstorm.
Tags: Application Development, Data Center Management, Database Management, Grid Computing, Networking, Project Management, Security, Services, Storage
One of the three White House IT priorities called out in the 2016 budget request, Digital Services may be the first IT casualty of partisan politics. A series of agencies have reported that their 2016 budget pass backs include a big goose egg in funding for Digital Services. We've asked the question of OMB – seems that's the case. The next question – what's the future for Digital Services with no funding?
It's no surprise that Republicans don't like the idea of the Federal government getting into the state and local business – providing services directly to citizens and growing the Federal budget footprint. Let's face it, the launch of healthcare.gov was certainly diseased.
Each cabinet-level agency was directed by OMB to ask for $9 million for Digital Services. These agencies built out plans for how to implement those Digital Services. Right now, they're wondering if that whole effort was a huge waste of time and money.
If Digital Services faces a dollar drought, what's the path forward? Will OMB find additional funding from another budget bucket? Should agencies focus on self-funding models – perhaps charging America a fee-for-service model? Will this drive a series of no-cost contracts? Dozens of questions out here on the digital frontier. Here's hoping Digital Services makes it out of the neonatal intensive-care unit.
Chances of snow – remote. But, this week was Cloud Christmas for agencies focused on IT transformation. Like a silicon Santa, Congressman Gerry Connolly unwrapped the Cloud Computing Caucus Advisory Group annual report, “Don’t Be a Box Hugger,” on the Hill on Monday. Based on interviews with CIOs and CFOs, Box Hugger divides agencies into a naughty/nice list of sorts. Pioneers – the early adopters who blazed the trail to the cloud. Fence sitters – who have dipped a toe into the cloud, but aren’t ready to make a mainstream transition. And, Box huggers – the anti-cloud crowd, clinging to their own hardware, software and rising cloud anxieties.
The report provides a sanity check on what’s really happening in Federal cloud – and regrettably, what’s not. Importantly, it offers a rationale to explain the movement or lack thereof, in the marketplace, and makes recommendations on the path forward. Three big takeaways:
And, if you want more data and analysis, Katell Thieleman, Gartner’s Federal lead, took the podium after Gerry Connolly. Playing Santa’s helper, she shot down five myths of federal cloud, a foretaste of what you could read in her new report on cloud in Federal IT – a lot of parallel themes. That and “Box Hugger” are two must-read resources for folks serious about change – you’ll see these reports referenced all around the Beltway.
But Wait, There’s More
We’ve only unwrapped the first gift. The elves at MeriTalk have been busy – we rolled out three significant new initiatives this week to improve the cloud forecast. If you don’t have time to read the book, you can watch the movie .
Government Cloud Shopper
Developed with the government – big thanks to Greg Capella at DHS, the team at GSA cloud, and many more – GCS is a free tool that takes the mystery out of cloud acquisition. This menu-driven “build a bear” for cloud provides cloud migration cost estimates based on FedRAMP-compliant CSP prices, professional services costs, and migration set-up expenses. That’s the full cost picture, not just the cloud services cost. It then allows agencies to go to the next level – design requirements – and submit them to the cloud GWAC procurement shop of their choice – GSA, NASA SEWP, DHS, Interior, etc. Change your requirements to see the cost difference between 99 percent and 99.99 percent uptime. What’s the difference between a naughty and nice cloud? Let us show you.
FedRAMP Fast Forward
As goes FedRAMP, so goes government cloud. It’s a consistent, central theme in Box Hugger. You’ll read the report, so I won’t get into detail here. That said, unless FedRAMP accelerates, there’s significant concern that it will collapse under its own weight. This isn’t just a government problem – industry gets it too. Especially the CSPs and 3PAOs that have invested millions in the certification process. That explains the launch of the new FedRAMP Fast Forward industry working group, comprised of FedRAMP CSPs and 3PAOs. Look for bright ideas – and collaboration with government – on how to enhance the value and efficiency of the FedRAMP process and reduce the costs of achieving and maintaining certifications. Second meeting at the Cloud Computing Brainstorm on June 17th.
Is FedRAMP at the top of your Cloud Christmas list? Then subscribe to the new FedRAMP 411 news source. All the breaking news, profiles of agency successes, and updates from the program offices. That plus status on all FedRAMP CSPs and 3PAOs. If it’s FedRAMP, it’s on FedRAMP 411.
And, as if this week’s not enough, mark your calendar for a second helping of Cloud Christmas on June 17th at the MeriTalk Cloud Computing Brainstorm. First up, FedRAMP Fast Forward breakfast meeting. Then, Tony Scott kicks us off with the morning keynote. Then NIST Cloud Cyber Security Working Group. The Cloud Computing Caucus Advisory Group is hosting an industry panel. And, of course, a star-studded program of Federal cloud practitioners sharing their agencies’ experiences in the cloud.
There’s a jingle in the air this Spring – it’s a Merry Cloud Christmas in May.
Considering we're getting down to the dog days of the administration – and CIOs are jumping overboard quicker than you can say FITARA – these are surprisingly heady times in government IT. We've got a new tech-savvy leader on the Hill in Congressman Will Hurd (R-Tx). We've got a new world-class Federal CIO with operational oil under his fingernails in Tony Scott. And, Amazon's recent earnings just proved that cloud is not only viable and sustainable – it's profitable.
Hurd on the Hill – Getting Down to Business
So, what can we expect for the balance of 2015 – and over the horizon in 2016? In a word, pragmatism. That and a real focus on how to actually produce meaningful movement forward. Don't think Tony Scott's going to try to leap any buildings in a single bound – but rather nurture the Fed IT workforce and look to stay the course of cloud transformation with a strong eye on cyber security. Now, everybody's watching for the IT hearing schedule on the Hill and listening hard to the auditors at GAO – we all want to know how and what we'll measure. It's not about forcing change, it's about common-sense IT transformation that really moves the ball forward in delivering quantitative improvements in IT efficiency.
Scott in the Spotlight – Focus on Getting IT Done
Want to hear Tony Scott's vision for the road ahead? You can join us at the MeriTalk Cloud Computing Brainstorm on June 17th to listen to the man in the driver's seat talk about Cloud, Cyber Security, the workforce – all against the backdrop of FITARA implementation plans that Tony released yesterday. What a great opportunity to tie everything together in the context of this new CIO empowerment law. Congratulations to OMB for meeting a deadline – evidence of the dawning of a new era.
Cloud Caucus Report – Don't Be a Box Hugger
All this, and the Cloud Computing Caucus Advisory Group meeting on May 11th on the Hill. We'll hear from Congressman Hurd's partner in progress, Congressman Gerry Connolly – and who knows, perhaps Hurd too? CCCAG will roll out its Federal CIO and CFO study – Don't Be a Box Hugger – the first comprehensive review of the state of cloud in Federal IT. Katell Thieleman, Gartner's Federal fashionista, will step up to the podium to provide that critical analyst insight – and, we understand, offer tidbits from her new government cloud study. That's must see IT.
Catch Up Over a Cocktail
Too much to take in via the written word? Then join us next week, Thursday, May 7th, at the State Theatre in Falls Church, to discuss what's shakin' and the path ahead as O'Keeffe & Company and 300Brand celebrate 18 years serving the government IT community. Register here. Rumor has it, we'll see celebrity appearances from Richard Spires and other Federal IT aristocracy.
More as this exciting story unfolds. Look forward to seeing you at the Cloud Brainstorm, on the Hill, and at the State Theatre. Don't they say that Spring is a time for revitalization? It is in Federal IT.
What'll it be – Cup of IT, beer, or shirley temple? MeriTalk's sister organizations, O'Keeffe & Company and 300Brand, are celebrating 18 years in business. Our theme, the 18th amendment, prohibition. Join us to wind the clock back to 1933, when Congress passed the 21st amendment repealing prohibition.
We invite you to help us celebrate our 18th anniversary and the repeal of the 18th amendment at the State Theatre in Falls Church. The party will feature live Irish music from my good friends at Brendan's Voyage. Everybody's welcome.
18 years serving our community. What better way to say thank you to our community for your confidence than throw a party where everybody's invited? Cheers to 18 years.
Thinking about inking? Quick march to the parlor. Last week, the Army relaxed its restrictions on tattoos. Used to be you couldn't have more than four tats below the knee or elbow – and no body art could be bigger than a soldier’s hand.
Thinking I'm going to get all Andy Rooney about tattoos? Au contraire. I say do as you will – it's your body.
My question, where will we get the extra ink? I'd like to make a constructive suggestion. Maybe we should consider the exclamation point. I don't know if you've noticed it, but people can't seem to resist spilling them into their emails, texts, greetings cards, and even shopping lists. Remember to buy peanut butter! My follow up question – why? Perhaps people should consider if the phrase or observation is really worthy of an exclamation point? You see, exclamation points are like expletives and shouting – if you use them all the time, then they lose their impact. Where's an exclamation mark really warranted? The second coming of Christ! Oh my God! And, that Steve O'Keeffe's a real *******!
I'd say the same for awesome. Consider, does it really inspire awe? If not, you might try nice – fewer letters.
If we recycled the ink that doesn't go into exclamation points and awesomes, we'll surely have plenty in the barrel for tattoos.
Atkins Diet. Metabolism Miracle. Fen Phen. The 25-Point Plan. There’s no shortage of gorgeous slim-and-trim gimmicks. GAO tells us that IT cholesterol is rising – Uncle Sam now spends 80 percent of the $86.4 billion on legacy IT. Yesterday’s blubber’s chocking today’s innovation. So, what’s next? Legacy liposuction, software spanx, perhaps a binary bypass? Maybe, just maybe, it’s time to get clean and sober about fixing Fed IT. Five practical, actionable steps that will make a real difference.
It’s not the circus. Is that what you thought? Apologies to Cecil B. DeMille.
Cyber’s all the rage. Feds can’t get enough. It touches everything – data, networks, mobile, data centers. Feds are throwing money at security.
Is it enough? Don’t think so. But don’t take my word. Take it from someone who was on the frontlines.
Robert Mueller led the FBI following 9/11 and cultivated its counterintelligence service so it could aid in combating terrorism. The former Top Cop modernized the agency from a domestic crime-fighting force to what it is today: “...an intelligence-driven and a threat-focused national security organization with both intelligence and law enforcement responsibilities.”
Mueller will be the main attraction at the upcoming Symantec Symposium, where cyber experts will discuss insider threats, mitigating risk, managing information, and information access.
Those are big topics, but Mueller’s the man in the know so it will be a great show.
Under the Big Top
No lions, tigers, or elephants at the Symposium, but there will be a full house.
Nearly 2,000 Feds have registered for the Symposium because… it’s the Greatest Show on Earth. But you knew that.
So get your ticket here.
Mueller isn’t the only attraction.
Symantec has secured lots of top-flight talent for its Symposium. Assistant U.S. Attorney General for National Security John Carlin, and Lt. Gen. James McLaughlin, Deputy Commander of the U.S. Cyber Command are two names of note on the marquee.
These two are seriously tapped in to the nation’s cyber security challenges, which is why the room will be full.
Follow Symantec’s Twitter feed here for updates on the Symposium.
See you there. I’ll bring the popcorn.
Once in a while, it’s good to revisit and reconsider from a distance. It’s just over two years since then-unknown Alexandria-based cyber security company, Mandiant vaulted into the media spotlight. Remember? Mandiant released a report detailing a slew of cyber attacks perpetrated by the Chinese military. More than sweeping accusations, Mandiant identified specific Red Army IP and physical facility addresses in a bold tell-all counter attack on a sophisticated and persistent Chinese cyber offensive on U.S. targets.
It was a cyber shot heard around the world. To be sure, Mandiant shocked the world when it released the report. Many sources inside the Federal government expressed distress and disappointment – their concern, that Mandiant had tipped the U.S. intelligence community’s hand. The rationale, better not to let our adversaries know we were tracking them. Removing the blind signaled to the Chinese hackers that they should simply change their addresses and methodologies.
Did anybody see the movie Imitation Games?
Here’s a question – was our government complicit in the Mandiant report? Was this an early jab in a cyber sparing match between the U.S. and China? In May 2014 – one year and three months after the Mandiant release, our government took the unprecedented step of identifying and bringing charges against a series of Chinese cyber attackers by name. Perhaps the Mandiant report was a proxy offensive designed to put the Chinese on notice?
After all, how did a small firm like Mandiant lay hand on such detailed information? How did it have the nerve to release such a controversial report – which could have capsized the firm by invoking the ire of Uncle Sam?
Let’s say the Federal government did want to leak the report through a proxy – who better than a small firm? Using a major contractor would have been a far more transparent proxy. Further, working through a large organization would have been more complex, taken much longer, and amped up the risk of a leak.
It’s doubtful we’ll ever know for sure, but as Alan Turing would tell us, simple things are rarely simple in cyber space.
Do you think Mandiant was pushed?
How did a wannabee Scott Fitzgerald in college become a middle-aged man fascinated by government audits? Now that's a question I frequently ask my reflection in the mirror while shaving. But, fascinated I am.
As if it's not enough to ingest GAO APBs, I recently found myself fascinated by a new analysis of the last 31 years of GAO audits. That's 1.3 million pages and more than 40,000 recommendations. I tip my hat to the digital detectives at Deloitte, who conducted text analytics against GAO reports dating back to 1983 – an audit of the auditors. This is an astute piece of work – and if Deloitte's goal was to grab GAO's attention, then the green light is on.
Top Five in Focus:
The report considers seven questions. I'll drill down on five:
1. Are GAO Recommendations Effective in Driving Change?
Yes. Agencies completed 81 percent of GAO's recommendations between 1983 and 2008. Unfortunately, it can take a while – as much as four years in some cases. The report suggests prioritizing recommendations and setting associated deadlines.
2. Where do Agencies Fail?
Feds have issues where data's part of the problem – doesn't bode well for the Data Act or new CDO spots. We run into problems when inter-agency or inter-discipline coordination is required – troubling in a collaboration economy. Healthcare and transportation recommendations are common stumbling blocks – what ails healthcare.gov? Ironically, agencies frequently hit the wall when reports call out high-ranking officials or Congress – seems leadership's more comfortable pointing the finger than getting the finger.
3. Where do Agencies Succeed?
Seems agencies do well implementing IT recommendations – IT has two in the top four most likely to succeed spots. Agencies have successfully implemented 94 percent of GAO IT security recommendations – and 87 percent of overall IT improvement asks.
4. Does Nagging Help?
No, no, no, no, no. Repeated GAO reports on hard problems don't improve outcomes. Seems the toughest problems really require Congressional intervention.
5. Has GAO Changed Its Focus Over Time?
Not much. GAO consistently focused on the same topics in the '80s and '90s. The exception, IT has replaced Natural Resources and Environment oversight since the turn of the century. Watch this space.
Nick Carraway, Gatsby, and the CIO
Let's try to bring it together for the dismount. While the areas of focus haven't changed much, GAO has amped up its volume in the top five areas of oversight – from 5,112 recommendations in the '80s to 10,682 in the '00s. That growth tracks with the increase in partisan rancor in Congress, and suggests that perhaps Congress is using GAO as a soft power tool to spur change it can't legislate. The big takeaway for CIOs, weighed down with their new FITARA armor – look for the volume and frequency of GAO IT recommendations to get more intense. That even before IT's recent debut on GAO's 30 High-Risk Watch List.
Okay, but here are the difficult questions from Nick Carraway – if GAO's recommendations are super effective, and Deloitte says that they are, why is Fed IT still in such a mess? Have we succeeded our way on to the High-Risk Watch List? Without commitments to change and effective leadership from OMB – improving IT outcomes is as futile as pursuing Daisy Buchanan. Let's hope it ends better for Mr. CIO than for Mr. Gatsby. We beat on boats against the current...
True to their word, Terry Halvorsen and Major General Alan Lynn released milCloud pricing on Friday. Here's the chance for industry to see the competitor's price card. Some observations.
Congratulations to DoD for enhancing cloud transparency -- and for amping up the competitiveness of its cloud solutions. You have to ask, why DISA continues to offer RACE? Or should we say that milCloud is the logical successor to RACE?
Wanna Get the Skinny Directly from DISA and DoD?
Join us on March 25th at the Newseum for the MeriTalk Data Center Brainstorm to hear from Jack Wilmer, Infrastructure Lead at DISA. If you're a govie, register for an executive breakfast program with David DeVries, Principal Deputy CIO at DoD.
The 2016 budget's out – read six pages in the Analytic Perspective to get smart on what's important in Fed IT. If you won't do the homework, this cup's a must-read. We did the reading so you don't have to. In addition to the typical yada, yada on promoting innovation, encouraging small business, and chest thumping on questionable savings, there's some critical data in the budget.
Top line, more tech spending – up 2.7 percent to $86.4 billion. That said, there's a slowing in growth. From 2001 to 2009, we had a 7.1 percent annual growth, which cooled to 1.7 percent. The administration claims partial credit for slowing growth – citing efficiencies achieved through better management. See See key charts for budget breakdown and trajectory.
Three additional hard figures to use in your presentations:
-$14 billion for cyber security
-$105 million to incubate Digital Services at 25 agencies
-$16 million for GSA to administer open data initiative
Seems the President's given up on the 25 point plan – hooray! We're down to three things. Driving value in IT investments, delivering world-class digital services, and protecting Federal assets. We're seeing the Feds get into the state space – delivering more services directly to America.
The White House's doubling down on PortfolioStat – and getting clean and sober on open government. Despite a series of misfires on the IT Dashboard and transparency, the administration commits to making the results of agency PortfolioStats and IT savings performance available on the IT Dashboard. Let's hope that OMB lives up to this commitment.
Success Stories and Stats:
Bottomline – the White House says we've saved $2.7 Billion since 2012, through better IT management. Agile trumps waterfall – Administration claims 40 percent improvement in ability to deliver IT projects on time and on budget. Apparently cloud is happening. Budget tells us that 8.5 percent of the 2015 spend went to cloud "and other provisioned services" – that certainly doesn't jive with GAO numbers. No disrespect to NSF, which has embraced the cloud – but it's success is hardly a serious reference point for a major shift to the cloud across government. Big shout-out for data center closures – feds have shuttered 1,136 by August 2014. That said, it's difficult to believe anybody's really dead unless we can see the corpse.
Not to be a skeptic, but we'd all like to see more details behind these assertions – please post that math on the IT Dashboard. How about some energy metering data – as well as hard expense costs by civilian agencies for data center operations. After all, Halvorsen committed to posting DISA MilCloud pricing – will Scott do the same in civies? It's time to address the credibility gap.
Sense of Security?
CDM appears more than any other acronym in the 2016 IT budget. That speaks volumes. The $14 billion allocation for cyber security and flagging of CDM will raise some eyebrows. The 17 CDM prime contractors are starting to ask questions about the program's direction moving forward. DHS , any thoughts on how to accelerate the pace of the program rollout?
So, that's the new Fed IT budget flyby. Here's the full text. Here's the ADHD version. Spending up. Simplified – three priorities. Show me the money – promise of new transparency.
With the snow, don’t want you getting frostbite reading this pour on your mobile. Three short pours. Caution, the beverage you are about to enjoy is extremely hot.
Pause: Cloud Chicken?
Think again. Some new wrinkles in the cloud stuff. DoD CIO Terry Halvorsen and DISA’s Major General Alan Lynn called it like it is at the Cloud Computing Caucus Advisory Group meeting on the Hill last week. Cowboy up – DoD cloud requirements will continue to change. For industry, that means ongoing certifications – read greater cost to play. Halvorsen and Lynn also talked about the emerging requirement for what happens when things go missing in the commercial cloud. The Pentagon’s going to want to root around inside industries’ data centers.
The big questions – and, here's the cloud chicken. What if industry decides it doesn’t want to play? Or more accurately, what premium will DoD have to pay to convince commercial cloud providers to play? What if that price is more expensive than the legacy systems? Lastly, Halvorsen wants cloud, but can he afford it – especially if he’s bidding against the world’s biggest customer, consumerization?
Paws: Big-Bang Bust Up
Watch out for the claws. GAO doesn’t like the Big-Bang theory – it put IT on the 30 Oversight High-Risk List. Here come the hearings. Great time for Tony Scott to take the wheel. Here’s Scott’s opportunity to use oversight as leverage to make real changes.
Pours: It’s Nice to Share
More tea vicar? Senator Carper may be a Target shopper – that’s why he’s introduced the new Cyber Threat Sharing Act of 2015. Building on the President’s Executive Order – Carper's proposed bill tells us to share and share alike. Lays out a good framework for industry and government cyber collaboration. Puts National Cybersecurity and Communications Integration Center – NCCIC – center stage. Swings at corporate liability barriers, pushes for faster sharing, and stresses the need for government to share too. The devil lives in the details – curious to see plans to operationalize. We’ll need carrots and sticks to move this stuff forward.
Pause. Paws. Pours. What’s cool and what's getting you hot and bothered in Fed IT?
At last, someone that knows what they're doing. That's the hopeful refrain from Federal IT and industry folks after the White House announced Tony Scott as the new Federal CIO. You can tune in on Tech Tony's Titan Talent here. But, I'm pouring a cupful of the one thing nobody asks for – advice. Five points to consider:
Less is More
Here's a chance to reset the madness that is the 25-Point Plan to Fix Fed IT. There are only 10 commandments, how can there be 25 ways to fix Fed IT? Time to back away from the measles – pick three to five priorities. How do we lift the mountain of mandates from the shoulders of our IT leaders – the beatings will continue until morale improves? Time to square the goal posts – and measure Fed IT execs on performance.
To be sure, not suggesting that we walk away from metrics – or that we simply dismiss all the audit work that exists against programs like FDCCI, Cloud First, and CDM. But we have to reduce the number of things we measure – or the cure is worse than the disease. Make friends with GAO – they know where all the bodies are buried.
Carry the Standards
Is FedRAMP a good standard or not? If it is, stand behind it. The June 4th OMB FedRAMP non-deadline made fools of the administration and frustrated agencies and industry alike. If you're going to drive to Cloud and Mobile First, then mean it. Do FISMA, CDM, and risk management represent the path forward in cyber – clarity on coexistence please?
Common Defense Policy
While OMB can't pull rank in DoD, it's a great idea to sit down with Terry Halvorsen to map up battle plans. Terry mentioned he knows Tony at yesterday's Cloud Caucus Advisory Group meeting on the Hill. So gents, we look forward to the two of you getting together to map a path to maximize joint operations.
In government we have our special acronyms designed to confuse and confound. The way we budget is all messed up. It's hard to recruit and retain the best and brightest. And, we're older than the commercial market. Other than that, it's exactly the same – and that with no sarcasm. Feds are people – they want to do a good job, and respond to carrots and sticks. Go speak to frontline IT operators. Factor FITARA. Time to reconstitute the CIO Council – and put it to work.
Taking over as Fed CIO with less than two years in a lame-duck administration may seem like a resume-building move. Here's hoping Tech Tony is Great Scott.
As the new Federal CIO readies to reboot the administration's IT modernization agenda, folks can be forgiven for uttering – at last someone who knows what they're doing.
Your thoughts on recommendations for Tony Scott?
Is DoD marching in double time to the cloud – or MIA on modernization? That’s the question that caused companies to close ranks at last week’s DoD industry day at the Commerce Department. Couldn’t get a billet? You’re not alone – many could not get in. Here’s the military intelligence and an opportunity to sign up to witness Halvorsen drop the second boot on cloud. Halvorsen, Major General Alan Lynn, Chief Technology Advisor Kenneth Bible, and Deputy Assistant Commandant Thomas Michelli will take the Hill at the Cloud Computing Caucus Hillversation on the Hill February 12.
But first, let’s reconnoiter the battlefield from last week’s industry day.
Data Center Court-Martial
Halvorsen tore the epaulets off traditional data center definitions. Don’t think traditional standalone data dungeons. Set the data free. Think joint operations across multiple clouds – with and without dog tags. “Industry needs to share data…There won’t be one single cloud environment.” No encrypted code here – DoD requires joint forces in the cloud.
milCloud Situation Report
milCloud has been at the center of the DoD IT modernization discussion since its launch last October. Halvorsen said milCloud is too expensive – although he decorated DISA for cutting milCloud costs by 10 percent. Still, industry wannabe milCloud rivals find themselves in no man’s land – nobody knows milCloud’s price list. At the same time, Halvorsen noted the potential to break ranks with DISA and join forces with commercial CSPs as they steel their perimeters and beef up internal security. DISA’s number two, Maj. Gen. Alan Lynn, defended milCloud. He said active duty milClouds in Alabama and Oklahoma offer cheaper prices and better customer service than at launch.
A River in Fatigues?
Halvorsen took a leaf out of NSA’s cloud combat catalogue – asking industry to deliver proposals to OEM commercial clouds inside DoD, effectively putting commercial products in camouflage military uniforms. Don’t dismiss it – at the Navy, the Cloud Commander-in-Chief floated some services up the Amazon.
Defense Goes Offense on Cloud
Like you, the Hill wants to know more. Join me at the Cloud Computing Caucus Advisory Group at the Top of the Hill on February 12th to hear from Halvorsen, Lynn, Bible, and Michelli. Will Halvorsen deliver new intelligence on cloud in combat? Will DISA share its MilCloud price catalogue? Have the Marines got there first? Is the coast clear for cloud at Coast Guard? To the cloud – now’s no time to retreat. Register today.
In Fed IT, it's AFE. Don't recognize that TLA – Three Letter Acronym? It's Acronyms For Everything. As the elephants and donkeys charge and kick one another over the 3Is – Immigration, Iran, and Israel – there's one acronym on which they find common ground – FITARA. And, that one doesn't need spelling out – unless you've been hiding under a rock.
Reds and blues don’t agree on much, but they’re united on their call for enhanced efficiency in government IT. Importantly, FITARA is law now – and the CIO empowerment act gives Federal CIOs the nuclear option. That said, to quote Spiderman, with great power comes great responsibility. As it elevates CIOs, FITARA also puts the top IT execs in the hot seat.
We all remember that Vivek Kundra set the pace for change as President Obama’s first Federal CIO. At the time, given the administration's initial Open Government policy, this all made sense. Vivek published headcounts for Federal IT data centers, sounded the battle cry to the cloud, and set quantifiable targets for new efficiencies. Accurate or fantasy, the metrics provided everybody a way to get a grip on the $80 Billion slippery fish that is Federal IT – some say $160 Billion fish. So it's ironic, the pro-government Democrats essentially placed a target on the back of the CIO.
Hardly surprisingly, the Republicans – led in the House by Darrell Issa (R-Ca), then-chairman of the House Oversight and Government Reform Committee – and closely supported by the committee’s senior Democrat, Gerry Connolly (D-Va.) – loved the idea of increased government accountability. In fact, Issa and Connolly like Fed IT modernization so much, they co-founded the Cloud Computing Caucus. The Senate too took on Vivek’s metrics mania – where Senators Carper (D-Del.) and Coburn (R-Okla.) carried the torch. Together, the warring parties passed FITARA – it's the Acronym Across the Aisle.
CIOs in the Crosshairs
So now that’s it’s law, it's time to implement FITARA. The law says agency CIOs need to sign off on each and every IT purchase and makes it illegal for other agency execs to reprogram IT appropriations. So if IT projects succeed, CIOs should expect laurels. If they run into challenges, OMG.
A couple of concerns here in defense of CIOs. First off – FITARA envisioned consolidating the CIO title so that there would be just one per agency. Today, many government departments have multiple CIOs within the bureaus and components that make up each agency. This CIO consolidation got killed in the final stages of FITARA’s passage into law. This proliferation of CIOs dissipates control and accountability.
Second, there's the whole cloud thing – and it's impact on Shadow IT. The reason folks speculate that the Federal IT budget may be much bigger than the $80 Billion appropriation, is because significant IT investments live within funding for other programs. For example, IT guidance systems within a missile defense system don't roll up into the $80 Billion IT number. So, do CIOs have veto power on those shadow IT components within "non-IT" programs? I don't think so.
Shadow IT's an old chestnut, but it's made super relevant today by cloud computing which is providing a new dimension to the hidden IT economy. Recent IG reports tell us that some Department CIOs only see about 30 percent of their agencies cloud investments. Mission owners are buying cloud services – sometimes on their credit cards – without OCIO visibility or approval. Like Peter Pan, CIOs need to get a grip on their shadows to really gain control of IT.
So, we're heading into hearing season. We understand the folks at GAO have a series of new reports and statistics that point at data centers, cloud adoption, and security. OGR, under new Chairman Jason Chaffetz (R-Ut) and long-time tech champion Connolly will look hard for Fed IT progress and savings. Guessing the new OGR Information Technology Subcommittee, headed by Chairman Will Hurd (R-Tex.), will be the crucible for accountability and change. On the Senate side in HSGAC, Senator Ron Johnson (R-Wis.) and Senator Tom Carper (D-Del.) won't want to be left out of the IT action.
Rumor has it, the CIO Council has already met this year to map out FITARA implementation plans. While the weather's cold, it's going to get hot in IT. All eyes on the CIO Council and the Hill. And let's not forget the most important acronym in D.C. – CYA.
What's your take on FITARA? Will the new law change things?