The Tip of the Iceberg
The problem is that I could write entire books on the duplicative and fragmented buying within agencies. My goal here in this chapter is to make you aware of the problem and to help you better understand what to look for. In terms of what additional classes of stuff to look for, focus on things like document management systems. How many document management systems does your agency need, and how many do you have? These are expensive investments and they are pretty much the same. Agencies have 15, 20 or even more of these systems when they should be able to get by on one or two for the entire enterprise (department). How many networks does your agency have? USDA has 10, down from 11. But that is still wastefully redundant. Before she left the post of CIO, Cheryl Cook lamented her inability to chop that number down, and she was aiming for one.
If your agency is buying Microsoft or Oracle off of more than one contract you are probably setting money on fire. The business model for these companies is to try to figure out how much of their software you are using and then send you a bill for all of it, even when that software isn’t used. This is known as true-up. They tell you, go ahead, use our software, we’ll settle the amount so that you pay for what you use later. A lot of people have heard of true-up, but have you ever heard of true-down? In a world where the price increases because of demand, shouldn’t that price also decrease when demand decreases? Why do we never hear about true-down when we don’t have to pay the vendor as much, or, God forbid, we have overpaid and are entitled to a refund from the vendor?
The best example of this is Microsoft Project. Now I’m a Project Manager so I actually use, or used to use Project all the time. But most people don’t use it. But there was that one time in which they needed to open an .mpp file and somebody installed Microsoft Project on their machine. You must set policies and rules on your network that automatically remove software like MS Project if it hasn’t been used in 90 days. If you can go a quarter without using the software you don’t really need it. So, Project, Access, and any of those other programs that are add-ons, lower your costs by uninstalling that unused software.
People usually get that, deleting unused software from workstations. What people have a much harder time understanding is on the application side. Let’s say we have a system that does some really important stuff. We will typically have a couple of development environments, a production environment, a test environment (or integration environment), a user acceptance test (UAT) environment, a backup environment, a training environment, and an environment for security testing. From a platform/infrastructure perspective, each of these environments should be exact mirrors of each other. The only difference should be the build of the applications and the data contained. But if you have an Oracle database on one, then you have it on eight separate environments. So the cost of the Oracle license is x8. But the fallacy here is that each of these environments must be running 24/7.
The dev environments and prod environment you need, those must be operational. The backup too. Those are unavoidable. But how frequently are you integrating the various builds together and testing there? Probably no more frequently than once every two weeks and even then, you only need a couple days. How frequently are you using the UAT environment? Probably only prior to a release for final testing. How often are you really delivering training? I found that I was paying for these environments and the software that enables them, but I was only using them for a fraction of the time, typically two or three days per month. My point is that in the same manner in which we uninstall software that isn’t being used, in a virtualized data center environment or cloud environment, we should be creating and eliminating environments based on when we actually need them. If we aren’t using an environment, it shouldn’t exist.
In the old days when people had to install software on physical servers we couldn’t take this approach. It was too onerous and took too long. But in a virtual world, these environments can be spun up in a couple minutes. We should only be paying for what we use. Using this approach is like turning off the lights when you are the last person to leave. The difference is that this will save a lot more money in licensing.
Digital Analytics Program
There actually is a bright spot from managing commodity IT. I would have to say that the Digital Analytics Program (DAP) is it. Before this, every agency had Google Analytics or some variant. We were buying that capability in a fragmented manner. The biggest problem was that we wanted to roll up every agency’s data to see a wider dashboard of all the domains. As part of the Digital Government Strategy, GSA entered into a contract with Google for the entire Federal government. Now every agency can forgo their independent Google Analytics capability and just use the single one from GSA.
The reason I say that this is a real bright spot is because GSA absorbed all the complexity for the agencies. They have the code and they will tell you how to apply it. They will work with you to get the dashboard running on your websites and they will help you to analyze the data. I mean, it couldn’t get much easier. The kicker is that you don’t have to pay anything. It is already paid for by GSA.
I wish we had data about how much money agencies were paying for this service when they were buying it in the fragmented manner. But however much that was, that is how much we are saving (technically avoiding in costs) today.
The next evolution in maturity for this capability must be to include the ForeSee/iPerceptions capability in the DAP program. ForeSee and iPerceptions are surveys that pop up randomly on websites after a few clicks. These surveys ask you how much you liked their website. Today, most agencies are buying this capability, and buying it in a fragments manner. Additionally, there is no dashboard in the sky that displays this data so that I can see instances in which there are websites that are getting lots of hits and people think it is shitty. Hmmm, if we knew that then I would know whose ass to kick.
The trick here is to bake the ForeSee/iPerceptions capability into the DAP. OMB should make this a service available under DAP and preclude agencies from buying those capabilities separately.
Getting out of the Computer Business
Every so often an agency tries to do something stupid. Take this quote from ITA CIO Joe Paiva, “I want to be out of the IT business by July.” 12 The concept sounds good, agencies buy laptops and networks and software and a whole bunch of stuff to achieve the mission, but buying all that stuff isn’t actually part of the mission. It is ancillary. This sounds like a good idea. If our mission is to protect the homeland, or to help farmers, then spending energy or money on anything that isn’t that is dumb. It sounds good and it makes a big splash, but it is actually a dumb way to go, and here’s why.
The crux of what these agencies are trying to do is to go to a managed services contract. That means that you pay one company every month to equip your workforce with the technology necessary to get the job done. That would include laptops or desktops, software, plus the networking and the data centers to run applications and peripherals and mobile devices. On the face of it, it sounds like a good way to proceed. It sounds like it would simplify everything. But let’s walk through this scenario.
Think back to the chapter on Enterprise Architecture. Government agencies do not have our shit together. Nobody has a platform approach and we only have a couple of pockets in which we have started down a “platform” path and that was fleeting. This means that our environments are out of statistical control. Now hear me out on this. If it is really hard for a government CIO to tell people in his or her own agency that they can’t be a unique little snowflake and can’t be a special case, how hard do you think it will be for a contractor to say that? If the CIO can’t compel good behavior, why would we think that the contractor can? I just think that conversation is more difficult and not easier. The business owner in the bureau will simply work to pull rank and bully the contractor into bad choices.
Next, before you outsource your IT organization, you have people in different disciplines who perform their segment of the work. You have technicians who decide what the image should be on workstations and deal with group policies. You have people who manage your active directory. You have people who manage your exchange or email capabilities. You have people who work with the network and the cabling to the wall outlet. You have people who provision virtual servers in your data centers and you have people who babysit the physical servers. You have much more than that, but this will be enough to make my argument. You call everyone together and you tell them that we are going to outsource this stuff to Acme Company. We are going to save a ton of money. You award a contract and Acme company comes in. You spend the first year trying to figure out all the stuff that was different from what was described in the solicitation. You transition in the contractors. What happens to all these people who were managing your AD, GP, network, mail, and data centers? In the near term they spend their time spinning up the contractor team but then their role changes. They aren’t really managing the Active Directory or the Group Policy, they are managing contractors and their skills in doing those technical tasks begin to decay and atrophy. If they were good at their technical activities then they will likely leave your organization so that they can do the work they like and keep their skills sharp. The people you are left with after three or four years are the people who weren’t good enough to get another job doing that work or by now they have transitioned fully over into just contract management people. Here’s the problem.
Once you make that outsource decision you can never go back.
That initial contract will eventually need to be replaced and, like all good agency people we will want to replace it with something better. We will want something that improves upon it. But you can’t because everyone who was worth a damn has already left. You can’t even write a good solicitation because you can’t bring the contractors into that because they will have an unfair advantage when it comes to writing their proposal. But all the Feds who could write it have either left or don’t know what to do anymore. This is the point at which you will begin to fully appreciate Acme’s approach. They might do that initial contract at cost or even a loss. I would. Who cares about profit in the initial contract? We are going to make a ton of money outside of that contract.
So you are going to have a hard time writing your solicitation. That will probably make you late. Better engage the incumbent to make an extension. $$ Then you put a flawed solicitation out there and you get back proposals. They aren’t in alignment with the IGCE because you don’t have anyone on your team who can tell you how much certain activities should cost, and the contractor knows that. $$$ Maybe you get a couple of offerors, that would be good because that would put pressure on the price, but then you may get a protest, and you might need a bridge contract to cover the time lost to implement protest corrections. $$$$ In the end, you are just going to award it to the incumbent anyway and they will play the escalation game with you as the team gets further and further away from managing the technology.
One of the most difficult things in managing contracts is managing quality. When we have government people performing these roles I would argue that we have a better chance at holding them accountable than we do with a contractor. Above is the table of results of the Cyber Sprint during the summer of 2015. Look at the starting point for these agencies: NRC, NASA, Labor, HUD, Education and Commerce (just started a managed service contract). The requirement to implement strong authentication has been around since 2004. Is it weird that the managed service contract agencies make up most of the agencies that were at zero when the sprint started? Not to me. I don’t find that odd. They were removed from the requirement by an additional step and it is way more difficult to implement like that.
Now take the case with NASA. I’m not saying that NASA is awful just because of their managed service contract. But I am saying that they are having a bad time trying to hold someone accountable there. They have widespread performance issues, the contractor is holding them hostage. The bottom line is that they are powerless to fix the issues. This managed services contract precludes them from achieving any of the savings from the category management plays like the one on workstations or software, or from participating in things like FSSI wireless. In fact, they can’t even tell you what their unit price is on wireless service. They could be getting ripped off, or they could be getting the deal of the century. But the fact of the matter is that they just don’t know because they can see with that level of granularity.
I’m not going to say that there is a responsible way to enter into a managed services contract, but I would say that before you did it, HUD, Education, NASA, NRC, Labor, Commerce, I would like to see a robust alternatives analysis that indicates the conditions that makes a managed services contract the right approach. More importantly, I would like to see very specific and objective criteria for when it makes sense to bring it back in. My problem is that outsourcing it is easy. Insourcing is hard; really hard. I have not seen any agency bring it back in after outsourcing their IT capabilities. So in an environment in which we really struggle to make long-terms decisions and when we do, we don’t usually stick to them, this is the exception. Once you do that you are committing to a path that none have returned from. And since nobody knows what the conditions should look like that would cause us to insource those capabilities, nobody ever has. Be very careful here.
In This Series:
8 Image from GSA http://www.gsa.gov/portal/category/108271