- March 2015 (3)
- February 2015 (4)
- January 2015 (3)
- December 2014 (1)
- November 2014 (4)
- October 2014 (3)
- September 2014 (4)
- July 2014 (4)
- June 2014 (3)
- May 2014 (4)
- April 2014 (3)
- March 2014 (4)
- February 2014 (3)
- January 2014 (2)
- December 2013 (3)
- November 2013 (3)
- October 2013 (5)
- September 2013 (3)
- August 2013 (4)
- July 2013 (2)
- June 2013 (4)
- May 2013 (3)
- April 2013 (4)
- March 2013 (2)
- February 2013 (5)
- January 2013 (3)
- November 2012 (2)
- October 2012 (4)
- September 2012 (5)
- August 2012 (5)
- July 2012 (2)
- June 2012 (4)
- May 2012 (3)
- April 2012 (4)
- March 2012 (1)
- February 2012 (4)
- January 2012 (2)
- December 2011 (2)
- November 2011 (4)
- October 2011 (3)
- September 2011 (4)
- August 2011 (4)
- July 2011 (4)
- June 2011 (5)
- May 2011 (4)
- April 2011 (4)
- March 2011 (2)
- February 2011 (3)
- January 2011 (3)
- December 2010 (3)
- November 2010 (4)
- October 2010 (3)
- September 2010 (3)
- August 2010 (3)
- July 2010 (3)
- June 2010 (1)
- May 2010 (2)
- April 2010 (2)
- March 2010 (2)
- February 2010 (1)
- January 2010 (1)
- December 2009 (1)
- November 2009 (1)
- October 2009 (2)
- September 2009 (1)
- August 2009 (2)
- July 2009 (1)
- June 2009 (2)
- May 2009 (1)
Once in a while, it’s good to revisit and reconsider from a distance. It’s just over two years since then-unknown Alexandria-based cyber security company, Mandiant vaulted into the media spotlight. Remember? Mandiant released a report detailing a slew of cyber attacks perpetrated by the Chinese military. More than sweeping accusations, Mandiant identified specific Red Army IP and physical facility addresses in a bold tell-all counter attack on a sophisticated and persistent Chinese cyber offensive on U.S. targets.
It was a cyber shot heard around the world. To be sure, Mandiant shocked the world when it released the report. Many sources inside the Federal government expressed distress and disappointment – their concern, that Mandiant had tipped the U.S. intelligence community’s hand. The rationale, better not to let our adversaries know we were tracking them. Removing the blind signaled to the Chinese hackers that they should simply change their addresses and methodologies.
Did anybody see the movie Imitation Games?
Here’s a question – was our government complicit in the Mandiant report? Was this an early jab in a cyber sparing match between the U.S. and China? In May 2014 – one year and three months after the Mandiant release, our government took the unprecedented step of identifying and bringing charges against a series of Chinese cyber attackers by name. Perhaps the Mandiant report was a proxy offensive designed to put the Chinese on notice?
After all, how did a small firm like Mandiant lay hand on such detailed information? How did it have the nerve to release such a controversial report – which could have capsized the firm by invoking the ire of Uncle Sam?
Let’s say the Federal government did want to leak the report through a proxy – who better than a small firm? Using a major contractor would have been a far more transparent proxy. Further, working through a large organization would have been more complex, taken much longer, and amped up the risk of a leak.
It’s doubtful we’ll ever know for sure, but as Alan Turing would tell us, simple things are rarely simple in cyber space.
Do you think Mandiant was pushed?
How did a wannabee Scott Fitzgerald in college become a middle-aged man fascinated by government audits? Now that's a question I frequently ask my reflection in the mirror while shaving. But, fascinated I am.
As if it's not enough to ingest GAO APBs, I recently found myself fascinated by a new analysis of the last 31 years of GAO audits. That's 1.3 million pages and more than 40,000 recommendations. I tip my hat to the digital detectives at Deloitte, who conducted text analytics against GAO reports dating back to 1983 – an audit of the auditors. This is an astute piece of work – and if Deloitte's goal was to grab GAO's attention, then the green light is on.
Top Five in Focus:
The report considers seven questions. I'll drill down on five:
1. Are GAO Recommendations Effective in Driving Change?
Yes. Agencies completed 81 percent of GAO's recommendations between 1983 and 2008. Unfortunately, it can take a while – as much as four years in some cases. The report suggests prioritizing recommendations and setting associated deadlines.
2. Where do Agencies Fail?
Feds have issues where data's part of the problem – doesn't bode well for the Data Act or new CDO spots. We run into problems when inter-agency or inter-discipline coordination is required – troubling in a collaboration economy. Healthcare and transportation recommendations are common stumbling blocks – what ails healthcare.gov? Ironically, agencies frequently hit the wall when reports call out high-ranking officials or Congress – seems leadership's more comfortable pointing the finger than getting the finger.
3. Where do Agencies Succeed?
Seems agencies do well implementing IT recommendations – IT has two in the top four most likely to succeed spots. Agencies have successfully implemented 94 percent of GAO IT security recommendations – and 87 percent of overall IT improvement asks.
4. Does Nagging Help?
No, no, no, no, no. Repeated GAO reports on hard problems don't improve outcomes. Seems the toughest problems really require Congressional intervention.
5. Has GAO Changed Its Focus Over Time?
Not much. GAO consistently focused on the same topics in the '80s and '90s. The exception, IT has replaced Natural Resources and Environment oversight since the turn of the century. Watch this space.
Nick Carraway, Gatsby, and the CIO
Let's try to bring it together for the dismount. While the areas of focus haven't changed much, GAO has amped up its volume in the top five areas of oversight – from 5,112 recommendations in the '80s to 10,682 in the '00s. That growth tracks with the increase in partisan rancor in Congress, and suggests that perhaps Congress is using GAO as a soft power tool to spur change it can't legislate. The big takeaway for CIOs, weighed down with their new FITARA armor – look for the volume and frequency of GAO IT recommendations to get more intense. That even before IT's recent debut on GAO's 30 High-Risk Watch List.
Okay, but here are the difficult questions from Nick Carraway – if GAO's recommendations are super effective, and Deloitte says that they are, why is Fed IT still in such a mess? Have we succeeded our way on to the High-Risk Watch List? Without commitments to change and effective leadership from OMB – improving IT outcomes is as futile as pursuing Daisy Buchanan. Let's hope it ends better for Mr. CIO than for Mr. Gatsby. We beat on boats against the current...
True to their word, Terry Halvorsen and Major General Alan Lynn released milCloud pricing on Friday. Here's the chance for industry to see the competitor's price card. Some observations.
Congratulations to DoD for enhancing cloud transparency -- and for amping up the competitiveness of its cloud solutions. You have to ask, why DISA continues to offer RACE? Or should we say that milCloud is the logical successor to RACE?
Wanna Get the Skinny Directly from DISA and DoD?
Join us on March 25th at the Newseum for the MeriTalk Data Center Brainstorm to hear from Jack Wilmer, Infrastructure Lead at DISA. If you're a govie, register for an executive breakfast program with David DeVries, Principal Deputy CIO at DoD.
The 2016 budget's out – read six pages in the Analytic Perspective to get smart on what's important in Fed IT. If you won't do the homework, this cup's a must-read. We did the reading so you don't have to. In addition to the typical yada, yada on promoting innovation, encouraging small business, and chest thumping on questionable savings, there's some critical data in the budget.
Top line, more tech spending – up 2.7 percent to $86.4 billion. That said, there's a slowing in growth. From 2001 to 2009, we had a 7.1 percent annual growth, which cooled to 1.7 percent. The administration claims partial credit for slowing growth – citing efficiencies achieved through better management. See See key charts for budget breakdown and trajectory.
Three additional hard figures to use in your presentations:
-$14 billion for cyber security
-$105 million to incubate Digital Services at 25 agencies
-$16 million for GSA to administer open data initiative
Seems the President's given up on the 25 point plan – hooray! We're down to three things. Driving value in IT investments, delivering world-class digital services, and protecting Federal assets. We're seeing the Feds get into the state space – delivering more services directly to America.
The White House's doubling down on PortfolioStat – and getting clean and sober on open government. Despite a series of misfires on the IT Dashboard and transparency, the administration commits to making the results of agency PortfolioStats and IT savings performance available on the IT Dashboard. Let's hope that OMB lives up to this commitment.
Success Stories and Stats:
Bottomline – the White House says we've saved $2.7 Billion since 2012, through better IT management. Agile trumps waterfall – Administration claims 40 percent improvement in ability to deliver IT projects on time and on budget. Apparently cloud is happening. Budget tells us that 8.5 percent of the 2015 spend went to cloud "and other provisioned services" – that certainly doesn't jive with GAO numbers. No disrespect to NSF, which has embraced the cloud – but it's success is hardly a serious reference point for a major shift to the cloud across government. Big shout-out for data center closures – feds have shuttered 1,136 by August 2014. That said, it's difficult to believe anybody's really dead unless we can see the corpse.
Not to be a skeptic, but we'd all like to see more details behind these assertions – please post that math on the IT Dashboard. How about some energy metering data – as well as hard expense costs by civilian agencies for data center operations. After all, Halvorsen committed to posting DISA MilCloud pricing – will Scott do the same in civies? It's time to address the credibility gap.
Sense of Security?
CDM appears more than any other acronym in the 2016 IT budget. That speaks volumes. The $14 billion allocation for cyber security and flagging of CDM will raise some eyebrows. The 17 CDM prime contractors are starting to ask questions about the program's direction moving forward. DHS , any thoughts on how to accelerate the pace of the program rollout?
So, that's the new Fed IT budget flyby. Here's the full text. Here's the ADHD version. Spending up. Simplified – three priorities. Show me the money – promise of new transparency.
With the snow, don’t want you getting frostbite reading this pour on your mobile. Three short pours. Caution, the beverage you are about to enjoy is extremely hot.
Pause: Cloud Chicken?
Think again. Some new wrinkles in the cloud stuff. DoD CIO Terry Halvorsen and DISA’s Major General Alan Lynn called it like it is at the Cloud Computing Caucus Advisory Group meeting on the Hill last week. Cowboy up – DoD cloud requirements will continue to change. For industry, that means ongoing certifications – read greater cost to play. Halvorsen and Lynn also talked about the emerging requirement for what happens when things go missing in the commercial cloud. The Pentagon’s going to want to root around inside industries’ data centers.
The big questions – and, here's the cloud chicken. What if industry decides it doesn’t want to play? Or more accurately, what premium will DoD have to pay to convince commercial cloud providers to play? What if that price is more expensive than the legacy systems? Lastly, Halvorsen wants cloud, but can he afford it – especially if he’s bidding against the world’s biggest customer, consumerization?
Paws: Big-Bang Bust Up
Watch out for the claws. GAO doesn’t like the Big-Bang theory – it put IT on the 30 Oversight High-Risk List. Here come the hearings. Great time for Tony Scott to take the wheel. Here’s Scott’s opportunity to use oversight as leverage to make real changes.
Pours: It’s Nice to Share
More tea vicar? Senator Carper may be a Target shopper – that’s why he’s introduced the new Cyber Threat Sharing Act of 2015. Building on the President’s Executive Order – Carper's proposed bill tells us to share and share alike. Lays out a good framework for industry and government cyber collaboration. Puts National Cybersecurity and Communications Integration Center – NCCIC – center stage. Swings at corporate liability barriers, pushes for faster sharing, and stresses the need for government to share too. The devil lives in the details – curious to see plans to operationalize. We’ll need carrots and sticks to move this stuff forward.
Pause. Paws. Pours. What’s cool and what's getting you hot and bothered in Fed IT?
At last, someone that knows what they're doing. That's the hopeful refrain from Federal IT and industry folks after the White House announced Tony Scott as the new Federal CIO. You can tune in on Tech Tony's Titan Talent here. But, I'm pouring a cupful of the one thing nobody asks for – advice. Five points to consider:
Less is More
Here's a chance to reset the madness that is the 25-Point Plan to Fix Fed IT. There are only 10 commandments, how can there be 25 ways to fix Fed IT? Time to back away from the measles – pick three to five priorities. How do we lift the mountain of mandates from the shoulders of our IT leaders – the beatings will continue until morale improves? Time to square the goal posts – and measure Fed IT execs on performance.
To be sure, not suggesting that we walk away from metrics – or that we simply dismiss all the audit work that exists against programs like FDCCI, Cloud First, and CDM. But we have to reduce the number of things we measure – or the cure is worse than the disease. Make friends with GAO – they know where all the bodies are buried.
Carry the Standards
Is FedRAMP a good standard or not? If it is, stand behind it. The June 4th OMB FedRAMP non-deadline made fools of the administration and frustrated agencies and industry alike. If you're going to drive to Cloud and Mobile First, then mean it. Do FISMA, CDM, and risk management represent the path forward in cyber – clarity on coexistence please?
Common Defense Policy
While OMB can't pull rank in DoD, it's a great idea to sit down with Terry Halvorsen to map up battle plans. Terry mentioned he knows Tony at yesterday's Cloud Caucus Advisory Group meeting on the Hill. So gents, we look forward to the two of you getting together to map a path to maximize joint operations.
In government we have our special acronyms designed to confuse and confound. The way we budget is all messed up. It's hard to recruit and retain the best and brightest. And, we're older than the commercial market. Other than that, it's exactly the same – and that with no sarcasm. Feds are people – they want to do a good job, and respond to carrots and sticks. Go speak to frontline IT operators. Factor FITARA. Time to reconstitute the CIO Council – and put it to work.
Taking over as Fed CIO with less than two years in a lame-duck administration may seem like a resume-building move. Here's hoping Tech Tony is Great Scott.
As the new Federal CIO readies to reboot the administration's IT modernization agenda, folks can be forgiven for uttering – at last someone who knows what they're doing.
Your thoughts on recommendations for Tony Scott?
Is DoD marching in double time to the cloud – or MIA on modernization? That’s the question that caused companies to close ranks at last week’s DoD industry day at the Commerce Department. Couldn’t get a billet? You’re not alone – many could not get in. Here’s the military intelligence and an opportunity to sign up to witness Halvorsen drop the second boot on cloud. Halvorsen, Major General Alan Lynn, Chief Technology Advisor Kenneth Bible, and Deputy Assistant Commandant Thomas Michelli will take the Hill at the Cloud Computing Caucus Hillversation on the Hill February 12.
But first, let’s reconnoiter the battlefield from last week’s industry day.
Data Center Court-Martial
Halvorsen tore the epaulets off traditional data center definitions. Don’t think traditional standalone data dungeons. Set the data free. Think joint operations across multiple clouds – with and without dog tags. “Industry needs to share data…There won’t be one single cloud environment.” No encrypted code here – DoD requires joint forces in the cloud.
milCloud Situation Report
milCloud has been at the center of the DoD IT modernization discussion since its launch last October. Halvorsen said milCloud is too expensive – although he decorated DISA for cutting milCloud costs by 10 percent. Still, industry wannabe milCloud rivals find themselves in no man’s land – nobody knows milCloud’s price list. At the same time, Halvorsen noted the potential to break ranks with DISA and join forces with commercial CSPs as they steel their perimeters and beef up internal security. DISA’s number two, Maj. Gen. Alan Lynn, defended milCloud. He said active duty milClouds in Alabama and Oklahoma offer cheaper prices and better customer service than at launch.
A River in Fatigues?
Halvorsen took a leaf out of NSA’s cloud combat catalogue – asking industry to deliver proposals to OEM commercial clouds inside DoD, effectively putting commercial products in camouflage military uniforms. Don’t dismiss it – at the Navy, the Cloud Commander-in-Chief floated some services up the Amazon.
Defense Goes Offense on Cloud
Like you, the Hill wants to know more. Join me at the Cloud Computing Caucus Advisory Group at the Top of the Hill on February 12th to hear from Halvorsen, Lynn, Bible, and Michelli. Will Halvorsen deliver new intelligence on cloud in combat? Will DISA share its MilCloud price catalogue? Have the Marines got there first? Is the coast clear for cloud at Coast Guard? To the cloud – now’s no time to retreat. Register today.
In Fed IT, it's AFE. Don't recognize that TLA – Three Letter Acronym? It's Acronyms For Everything. As the elephants and donkeys charge and kick one another over the 3Is – Immigration, Iran, and Israel – there's one acronym on which they find common ground – FITARA. And, that one doesn't need spelling out – unless you've been hiding under a rock.
Reds and blues don’t agree on much, but they’re united on their call for enhanced efficiency in government IT. Importantly, FITARA is law now – and the CIO empowerment act gives Federal CIOs the nuclear option. That said, to quote Spiderman, with great power comes great responsibility. As it elevates CIOs, FITARA also puts the top IT execs in the hot seat.
We all remember that Vivek Kundra set the pace for change as President Obama’s first Federal CIO. At the time, given the administration's initial Open Government policy, this all made sense. Vivek published headcounts for Federal IT data centers, sounded the battle cry to the cloud, and set quantifiable targets for new efficiencies. Accurate or fantasy, the metrics provided everybody a way to get a grip on the $80 Billion slippery fish that is Federal IT – some say $160 Billion fish. So it's ironic, the pro-government Democrats essentially placed a target on the back of the CIO.
Hardly surprisingly, the Republicans – led in the House by Darrell Issa (R-Ca), then-chairman of the House Oversight and Government Reform Committee – and closely supported by the committee’s senior Democrat, Gerry Connolly (D-Va.) – loved the idea of increased government accountability. In fact, Issa and Connolly like Fed IT modernization so much, they co-founded the Cloud Computing Caucus. The Senate too took on Vivek’s metrics mania – where Senators Carper (D-Del.) and Coburn (R-Okla.) carried the torch. Together, the warring parties passed FITARA – it's the Acronym Across the Aisle.
CIOs in the Crosshairs
So now that’s it’s law, it's time to implement FITARA. The law says agency CIOs need to sign off on each and every IT purchase and makes it illegal for other agency execs to reprogram IT appropriations. So if IT projects succeed, CIOs should expect laurels. If they run into challenges, OMG.
A couple of concerns here in defense of CIOs. First off – FITARA envisioned consolidating the CIO title so that there would be just one per agency. Today, many government departments have multiple CIOs within the bureaus and components that make up each agency. This CIO consolidation got killed in the final stages of FITARA’s passage into law. This proliferation of CIOs dissipates control and accountability.
Second, there's the whole cloud thing – and it's impact on Shadow IT. The reason folks speculate that the Federal IT budget may be much bigger than the $80 Billion appropriation, is because significant IT investments live within funding for other programs. For example, IT guidance systems within a missile defense system don't roll up into the $80 Billion IT number. So, do CIOs have veto power on those shadow IT components within "non-IT" programs? I don't think so.
Shadow IT's an old chestnut, but it's made super relevant today by cloud computing which is providing a new dimension to the hidden IT economy. Recent IG reports tell us that some Department CIOs only see about 30 percent of their agencies cloud investments. Mission owners are buying cloud services – sometimes on their credit cards – without OCIO visibility or approval. Like Peter Pan, CIOs need to get a grip on their shadows to really gain control of IT.
So, we're heading into hearing season. We understand the folks at GAO have a series of new reports and statistics that point at data centers, cloud adoption, and security. OGR, under new Chairman Jason Chaffetz (R-Ut) and long-time tech champion Connolly will look hard for Fed IT progress and savings. Guessing the new OGR Information Technology Subcommittee, headed by Chairman Will Hurd (R-Tex.), will be the crucible for accountability and change. On the Senate side in HSGAC, Senator Ron Johnson (R-Wis.) and Senator Tom Carper (D-Del.) won't want to be left out of the IT action.
Rumor has it, the CIO Council has already met this year to map out FITARA implementation plans. While the weather's cold, it's going to get hot in IT. All eyes on the CIO Council and the Hill. And let's not forget the most important acronym in D.C. – CYA.
What's your take on FITARA? Will the new law change things?
This one's less of a Cup of IT – more like Texas tea, black gold, oil that is. Based on my citizenship exam, three things enshrined in the constitution – freedom of speech, right to bear arms, access to cheap gas. So, I recognize my headline may prove flammable – but here goes.
Barrel of Laughs?
What hasn't been said about falling gas prices? Detroit happy, Putin sad, drivers revving engines in SUVs. But what about the impact on tax revenue and our aging infrastructure? I was concerned that falling gas prices would mean reduced tax revenue – and failing highways/falling bridges. So, I looked at how government taxes gasoline – which funds the Federal highway system. Interesting, it's not a percentage. The Feds pour 18.4 cents on a gallon of gas and 24.4 cents on a gallon of diesel – just my luck, I drive a diesel. The state tax is a sliding scale – but the average load is 30.1 cents. They're equal opportunity discriminators for gas and diesel.
The net here, as best I can tell, government revenue is firewalled off from fluctuations in fuel prices. Ironically, I'm guessing that tax revenues will spike as demand bubbles up.
Oil and Water?
So, what's fueling the price fall? I debated this with Tom Davis and Jim Moran just last week at Don Upson's CES Government conference – quite a program. Is it a war between the shale men and the sheikhs? Theories abound. Most popular, OPEC outflanking the frackers – keeping supply high to burn up US shale oil, which is not viable below $70 a barrel. But, how does that make sense? Surely OPEC is hurting itself in the near term, and the frackers will just start right up again when the price of a barrel of oil hits $70 again – which it surely will.
Here's another theory that actually makes good sense. Global demand is down – due to the Brazilian, Chinese, and European slowdowns. As the price falls, OPEC has two choices. One, it can cut production – which means it's hit twice with lower revenue per barrel and lower volume. If OPEC holds back, other producers will step in to fill the world's tank. Or, two, it can continue to pump – increasing volume to make up for the price shortfall. Seems one hit is better than the double whammy.
On the Right Road?
Okay, so here's the heretic thought for the dismount. With gas prices at an all-time low – in real terms –isn't now the perfect time for government to hike the gas tax? We haven’t increased gas taxes since 1993. The President signed a $1.1 billion stop-gap bill last August to fund highways for 10 months. Proposed bipartisan Senate legislation to raise fuel tax by 12 cents per gallon ran out of gas. It would have raised $164 billion over 10 years – enough to upgrade our infrastructure and perhaps get us on the right road to new smart highways.
So, now’s the time to put the gas tax hike back on the forecourt. As gas prices are down we can produce much needed revenue today – without hitting folks hard in the pocket book. In addition to funding infrastructure – sliding higher gas taxes into the mainstream will start to steer our economy away from our unhealthy gas addiction and stimulate energy innovation.
Even the Clampetts would agree this is no gas matter. Is my analysis too crude? Y’all come back now, y’hear?
If Uncle Sam has a New Year's resolution, maybe he should stop chewing his digits? No, I'm not talking about nail biting, I'm talking about digital natives. The Washington Post tells us folks under 30 represent just seven percent of the Federal workforce – the low-water mark in over a decade. For context, one quarter of the U.S. workforce is under 30. And, the government's bleeding babies – nine percent of folks flying the Fed coop in 2013 were millennials. If we're looking for new ideas in government, we're going to need fresh DNA. We've heard plenty about the Silver Tsunami – what about the Millennial Monsoon? Sequestration, pay freezes, the civil smear, and economic recovery have hurt the government's millennial mojo.
And, as we talk about challenges with the government workforce – and people quitting government – it seems appropriate to tip the hat to the young at heart – Congressman Jim Moran (D-Va). Just this week, I had the honor to travel with Jim on his last day as a Congressman. After 30+ years in public service – as the Mayor of Alexandria and 24 years in the Congress – Jim Moran has elected to bow out. On travel, we ate together at a restaurant – and Jim insisted on clearing the dishes himself. No hubris here. What a gentleman – and advocate for Federal employees. Jim Moran, thank you for your service. You will be missed in Congress – but we know you're not stepping away from our community, there's still work to be done.
Short pour this week. But in this weather, a warm cup of IT should do you good. Wishing you the very best for 2015.
What does everybody in Federal IT want for the holidays this year? Answers to five FedRAMP questions:
Coal in OMB’s Stocking
The Council of the Inspectors General on Integrity and Efficiency (CIGIE) IT Committee’s September report on Federal Cloud Computing considers many of these questions. Some interesting stats: IG's looked at a sample of 77 Federal commercial cloud contracts valued at $1.6 billion. They found most cloud contracts don't follow the Federal government's cloud computing guidelines; three out of four.
Three quarters of agencies don't even require CSPs to be FedRAMP compliant. CIGIE dug in on 19 agencies' cloud programs – and found nine did not have a good inventory of their cloud systems. Extrapolate those percentages across all 438 Federal cloud contracts – some $12 billion worth – and it doesn’t take a red-nosed reindeer to see there’s a problem.
CIGIE lays the blame at OMB's feet. The report notes OMB set up FedRAMP via policy memorandum, established the JAB and PMO office, and imposed the June 5, 2014, FedRAMP compliance deadline. But, OMB failed to establish an enforcement mechanism to police deadlines and hold agencies that fail to comply accountable for their actions.
CIGIE offers four recommendations. It firmly recommends that OMB determine how to best enforce FedRAMP compliance for CSPs and establish a reporting system to ensure agencies require FedRAMP compliance.
What's Under the Tree?
Rumor has it GSA is readying a two-year FedRAMP roadmap. Could it be under the tree in time? Will it clarify the policy? Will OMB take the leadership opportunity it provides?
Naughty or Nice?
MeriTalk and the Cloud Computing Caucus Advisory Group are being peppered with calls and emails from unhappy CSPs who thought they'd been nice by getting into the FedRAMP pipeline, but now are being told they've been naughty. Some agencies won't buy services from CSPs unless they're all the way through the FedRAMP process; others are buying, as long as CSPs are on a FedRAMP pipeline with GSA or another agency; still others are looking at where CSPs are on the FedRAMP OnRAMP – documentation, testing, authorization, and the end zone (continuous monitoring). Based on the CIGIE report, a whole pile more of agencies are just sidestepping FedRAMP all together. The Hill is asking questions.
More Elves Please
Matt and Claudio in the FedRAMP PMO at GSA are working long hours in the FedRAMP toy workshop. We launched the FedRAMP OnRAMP with GSA in March of this year. We took a look back at pipeline progress and who's gained an ATO in the past nine months. Here's the before and after.
In March there were 10 ATO’d CSPs, with a total of 11 certified solutions – Microsoft had two. Eleven more were in process for ATOs. Nine months later, only three more CSPs are ATO’d, and only 15 solutions are certified – Microsoft and Oracle have two each. Three CSPs haven’t progressed at all – Layered Tech, VirtuStream, and MaaS360 – while Carpathia has set the pace as the fastest-moving CSP in the pipeline. Another 17 CSPs are in the ATO process.
FedRAMP is critical to government adopting cloud. GSA needs reinforcements in the workshop – more elves, please.
Curious to know how DoD is doing on cloud? Register for the Cloud Computing Caucus Advisory Group “Defense Goes on Offense” program taking place this February 12 on the Hill. Seems DoD is marching to the cloud in double time.
New Year's Resolution
As goes FedRAMP, so goes mainstream government cloud adoption. GSA’s working hard to lead the way. Here’s hoping OMB makes cloud part of its New Year’s resolution – or we can kiss mainstream cloud adoption goodbye (yes, that can be under the mistletoe...). What's on your cloud holiday list?
Halloween is safely in the rear view mirror – but Uncle Sam's still wracked by IT nightmares. App glutony's front and center as we head to Thanksgiving – and a new MeriTalk study, the App Gap, showcases agencies' eating disorders.
GAO sets the table on stats. With 777 supply chain and more than 600 HR systems – there's clearly too many calories in our app diet. And, agencies have no plans to reduce their app portions. Seventy percent of Feds expect more apps on the plate – projecting a 19 percent expansion in agencies' app waistlines.
GAO says agencies spend 69 percent of their budgets maintaining systems that are past the sell-by date. MeriTalk pegs the cholesterol count still higher – with 79 percent of agency budgets invested in George Foreman grills. Only one in three Feds say their current infrastructure provides a well-balanced diet to support their agency's mission.
As in life, poor folks eat poorly. Seventy-three percent of Feds assert that budget keeps them from updating legacy systems. However, if you look for the soft part in the middle, 36 percent of Feds point to politics as the poison – that's nothing new in D.C. If folks are used to the all-you-can-eat buffet, nobody'll want a salad.
Peanut Butter Not the Solution
Paying off on the politics, Fed IT pros assert that they're forced to peanut butter available budgets over too many rotting apps.
If freed to take out the trash, 48 percent of Feds would serve up new apps, 43 percent would consume the cloud – and IT pros assert that new virtualization investments would trim the IT fat by $4.5 billion.
Looking for a recipe for success this turkey day – and a heaped helping of hilarity? Look no further than our Fed IT gourmets' take on bad lip reading – That's How You Cook a Bird. Key ingredients – hint of Halvorsen, pinch of Palmer, Barloon broil, Rudnicki roast, butter goes on top.
Now that's funny...
Enjoy the holiday with your family.
If you'll pardon the puns – mobility is the most dynamic sector in Fed IT. And, securing those environments is a moving target. But, to be sure, Fed mobile security is no laughing matter. Just last year, Fed cyber warriors had to respond to 228,700 cyber incidents. This AP story on Key Federal Cybersecurity Breaches Over the Past Years will turn us all into cyber worriers. Snowden to China to dodgy-UK hackers.
Mobile Work Exchange, MeriTalk's sister organization, lives right at the crossroads of cyber security and computing on the go. There's no shortage of danger. Some stats from recent Mobile Work Exchange research – six percent of Feds who use a mobile for work say they've lost or misplaced their phone – that's 3,500 chances for a security breach. Fifteen percent of Feds have downloaded a non-work related app onto their work mobile. Fifty-two percent fail to use multi-factor authentication or encryption. One in four don't use a password on their work mobile device. You can check your personal mobile security profile using the Mobilometer.
If you want to get up to speed on the mobile security maelstrom. If you want to learn more about how to mitigate mobile malware. If you want methods to marshal a mobile mantra around security. Tune in November 18th at 2:00 p.m. EST for the Mobile Security Movement webinar. You'll hear from real government mobile security experts – Tarrazzia Martin at HUD and Dr. Sam Musa at EEOC. Register today – seating is limited.
Half pour this week – figure it's easier to read on that Blackberry. I'll be waving to you on the webinar November 18 – register today.
Don’t go boating without a life jacket. And, don’t collect, store, or try to manage data without an Information Governance strategy. That’s IG, but if you don’t have one, you’ll end up all at sea with the another IG – the Inspector General. Turns out many organizations – public and private – have set sail without taking the proper precautions. For too many agencies, information governance strategies, like access and security, are an afterthought.
A recent research study – “Navigating Information Governance: What’s Your Strategy?” – quizzed public- and private-sector attorneys, IT executives, FOIA agents, and records managers about information governance. Everybody agrees information governance is critical to their organization’s mission.
But information governance practices are murky. And, government and industry are mostly in the same boat.
Nearly three quarters of organizations have a formal, enterprise-wide information governance strategy, but just one in five says it’s very effective. Organizations understand the problem and the steps to solve it, but information governance programs consistently fall short.
Drowning in Data
How’s this for a rising tide? The digital universe doubles every two years and will reach 40,000 exabytes – 40 trillion gigabytes – by 2020. For context, a single exabyte of storage can contain 50,000 years’ worth of DVD-quality video.
Although some measures and regulations are necessary for data protection and public transparency, many organizations believe they’re fighting against the tide on regulation. When it comes to eDiscovery and FOIA requests, organizations’ biggest technology weaknesses include: data processing and filtering (38 percent), data collection (36 percent), and review (28 percent).
Respondents also say data security and protection is the single largest information governance risk their organizations will face if not addressed, but only 37 percent give their organization an A for data protection.
Missing the Boat?
In contrast to the private sector, Feds say budget’s their most significant information governance challenge. Management needs to know that proper information governance will improve business operations, regulatory compliance, and constituent service across the board.
Beyond harnessing, synthesizing, and turning information into intelligence, organizations need to be in control of data to meet governance transparency objectives, respond quickly to eDiscovery requirements, manage FOIA requests and internal investigations, and comply with records management regulations.
To ensure effective, enterprise-wide information governance programs, organizations need to focus on people, process, and technology improvements. A whopping 95 percent of organizations have made investments in this area in the last two years. And, over the next two years, organizations will invest further in security software, document management, data loss prevention, and backup.
So organizations should gain visibility, take action, and assume control of their own data. When executed correctly, an all-inclusive approach makes information available to those who need it, when they want it, while reducing storage costs and safeguarding compliance.
Read the full report here.
Is your organization sinking or swimming in information governance?
Has government procurement lost its rudder completely? Stand aside the $500 hammer and golden toilet seat – seems IT procurement is all at sea.
The Navy’s ahead of the wave. Fearful of protests by bidders forcing it to walk the plank, the Navy awarded its $5.3 billion Seaport-E to 3,752 companies. The sailors’ll be drowning in proposals, and the contractors’ll be thirsting for revenue.
All at Sea?
How does the Navy torpedo IT cost from $286 million to $2.1 million? NMCI/NGEN price for SPAWAR Pacific email – $286 million. Price shopped to DISA, $55.3 million – but looking through the telescope and not seeing a solution on the horizon this decade. Dell wins with COTS cloud commercial Microsoft hosted email for $2.1 million. Now that’s plain sailing. Evidence that cloud means a hole in the boat for IT contractor revenue?
Top 20 to Watch?
But let’s look past these two vessels to consider the full horizon – and beyond the horizon. BGOV and Deltek recently came out with their respective FY 2015 lists of the top 20 Federal IT programs. These are the aircraft carriers, although Deltek’s has a bigger landing strip at $206 billion vs. BGOV’s $136 billion. To be sure, these are no trifling sums. Place BGOV’s lightweight vessel next to national economies to put it in perspective. The Top 20 programs have a combined value that exceeds Bangladesh’s GDP, weighs in at just a hair less than Iraq’s, and comes in at more than half Israel’s.
Cloud in the Armada?
On a flight last weekend I took a look at the data. Here’s what I found. First observation – no explicit cloud programs, although they’ll likely sneak into many of the solutions. No place for cloud in mission-critical infrastructure or apps?
But let’s focus on what’s here, rather than what’s not. Here’s the breakdown of the mega contracts. It’s green gov at the head of the fleet. No, that’s not eco-friendly. Marching at the head of the flotilla is the U.S. Army, with three programs worth $69 billion. No fatigue here. Then it’s a long fall back to the number-two contract – Defense Health Agency’s $20 billion D/SIDDOMS IV.
Stern to stern in the third berth are DISA and VA at $12 billion apiece. GSA sits next in the lineup with two programs valued at $9 billion. Then it’s DHS with three programs valued at a total of $5 billion, with the Air Force right on its wing tip – it has three programs with a combined value of $4.3 billion. Then it’s Navy, HHS, SOCOM – at $1 billion each, followed by the Army Corps of Engineers and DOT, with $0.9 and $0.8 billion, respectively.
Any Port in a Storm?
Mapping BGOV to Deltek is not exactly 20/20. Only six of the BGOV programs appear on the Deltek top 20. Interestingly, drilling down on those six programs, the two analysts attributed different values for the same contracts – to the sum tune of $8.2 billion. BGOV is more optimistic. It values Army’s ITES-3 at $25 billion, while Deltek values it at only $20 billion. BGOV puts VA’s whopper at $12 billion, where Deltek shorts it at just $9 billion. They trade places on Army Encore III – Deltek values the program at $12.2 billion, with BGOV placing it at only $12 billion. Further, BGOV attributes with greater fidelity, attaching Encore III to DISA and D/SIDDOMS IV to DHA. Deltek maps them both to DoD.
Lots of differences between the numbers but one thing is sure – there’s still lots of money in Fed IT. That said, this could be the calm before the storm. The 2014 bipartisan budget agreement smoothed the waters for 2014 and 2015, but sequestration took $1 trillion out of the budget over a 10-year period – that considered with clouds on the horizon – and it could be there’s a storm brewing over the horizon.
Feeling sea sick? Grab the Dramamine. You may need it. How do you see the future for Fed IT funding?
There's an arms race going on like we haven't seen since the Cold War: HP, IBM, Amazon, and Google. They're knocking together data centers quicker than the price of cloud computing can plummet. The price of Amazon’s web services has fallen by about 50% every three years since 2006. Where will it end? Are the new entrants pushing the traditional players into mutually assured self-destruction? What happens to the customer if the provider goes up in smoke?
What’s the price for dot.com stocks?
Anybody else afraid the emperor may be naked? How quickly will Nero catch a chill if the cloud condenses? Oh, and I know, cold is only an anagram for cloud if U are in it.
Why Go to Work?
Every day you shave or powder your face in the mirror, put on a smile, and head out to make the doughnuts. But, what if you could get paid for doing nothing? And not just get paid, but earn millions? That's precisely what fraudsters are doing every day in America. And, who are the dummies paying these deadbeat crooks? Here's the punch line – it's you and me, my friend. Individuals and organized crime are cleaning up stealing from Uncle Sam – and all of us.
Calling in Sick?
As America ages, we’re addicted to ever more expensive healthcare. We spent 17 percent of GDP on tests and remedies – that’s $2.7 trillion – just last year. Uncle Sam spends $415 billion and $600 billion each year on Medicaid and Medicare, respectively. In 2012, Donald Berwick, one time head of CMS, examined the patient for fraud fever. His diagnosis, the disease adds $98 billion to Medicare and Medicaid – and $272 billion to national healthcare costs.
How? Everything from billing for phantom wheelchairs and pushing prescription drugs on the street to Lazarus’ ambulance use and good-old-fashioned overbilling.
Not to be outdone, tax scammers are turning the IRS into an ATM. Hang onto your hat – or wallet – for these stats. Each year, the IRS receives 145 million tax returns – 75 percent want refunds. TIGTA estimated that the IRS paid refunds to 1.5 million fraudsters in 2011. The top five domestic addresses received 4,900 refunds. Heavens above, IRS paid 655 refunds to a single address in Lithuania. Between January and September of last year, IRS identified 170,000 fraudulent returns filed by prison inmates.
How? Identity theft – filing tax returns for innocent victims, and collecting the refund checks.
Welcome to Miami?
Miami is the healthcare and tax fraud capital. It generates fake tax returns at 40 times the national average. Is it the sunshine or the orange juice? Neither, Miami’s hot because of the old folks. Lots of medical bills, loads of folks who have a social security number but do not file a tax return, and yes, lots of dead people.
What’s This to IT?
The $80 billion Federal IT budget is dwarfed by fraud. Further, Capitol Hill understands and cares about fraud. Folks like Gary Cantrell, an investigator at HHS, have demonstrated the power of analytics to ferret out fraudsters – returning $8 for every $1 invested. But, in D.C. it’s not about RoI, it’s about Return on Political Capital – RoPC.
Rather than sell the cost savings of cloud, perhaps we should focus on the ability to level stovepipes and bring data together across the government to catch cheats? There is no national repository for Medicaid data, which lives in each state. Put Federal apps in the cloud and question farming will yield new insights and massive savings.
Stealing From Uncle Sam
Want to learn more? Attend our Stealing from Uncle Sam: Fraud, Waste, & Abuse forum at the Newseum on November 19 – don’t worry, this isn’t a how-to tutorial. Join Senator Carper (D-De), Chairman of the Senate Homeland Security and Government Affairs Committee; Gary Cantrell, Deputy Inspector General for Investigations at HHS; Dean Silverman, Director, Office of Compliance Analytics at IRS; and Marshall Presser, Field Chief Technology Officer at Pivotal.
What do you think the governement should do with the $272 billion stolen in healthcare cost?
*Special thanks to the Economist Magazine for the inspiration and many of the data points.
2014 is a tipping point. For the first time, IT will serve more pages to phones than PCs. So, aren’t phones cloud devices? Sure we’ve wrestled with Hunger Games horrors, but most everybody’s dialed into the mobile cloud. Hold the phone. According to two new GAO reports, Uncle Sam is still struggling for cloud dial tone – although seems to be getting through in data center savings.
Why Be a Box Hugger?
GAO’s cloud report looks at seven civil agencies – gauging cloud progress since 2012. The numbers speak for themselves – while the branches have a total of 80 new cloud services, the uptick in cloud spending is just one percent.
Why so low? Two reasons. GAO tells us that agencies aren’t up for legacy migration – they’re only considering new build for cloud. That means 67 percent of the IT spend is off the table before you start. Second – and I’m adding this to GAO’s analysis – cloud is too hard to buy. Acquisition ache surfaced as a constant theme at the recent Cloud Computing Brainstorm.
Seems Terry Halverson’s falling in with these issues. Interesting to watch him strafe the DISA cloud last week – encouraging the agencies to go AWOL to get the cloud they need.
Caucus and the Cure?
That brings us to tomorrow’s Cloud Computing Caucus Hillversation. Join the Air Force, DHS, GSA, and NASA SEWP on the Hill for a lively discussion on cloud acquisition. We’ll also preview a new Independent Government Cost Estimator tool for the cloud. While the FedRAMP OnRAMP shows you what’s available, the IGCE takes you deeper – to understand how to buy FedRAMP-compliant cloud and how much it’ll cost. This gizmo’ll put some pep in your COTR’s Cloud step.
CIO Cloud Connection?
And, if you need more cloud in your life – and GAO says most Feds do – here’s an early flag for a gathering of CIOs on the Future of the Federal Cloud. November 18 – a half-day session, featuring Fed CIOs, with real dialogue about what’s working and what’s not in Federal cloud. Sorry this program’s government only. Feds register here.
Is FDCCI Dead?
Not to forget cloud’s twin sister, GAO put out an eye opener on Data Center Consolidation. While cloud’s dealing with hang ups, seems data center consolidation’s dialing direct to the bank. GAO looked at 24 agencies' FDCCI efforts, 19 reported a total of $1.1 billion in cost savings and avoidance 2011-2013. Three – DoD, DHS, and Treasury – contributed 74 percent of that lettuce.
But, as you’ll remember, the goal for FDCCI was to save $3 or $5 billion by 2015. GAO looked downstream between here and 2015 – and further to 2017. Altogether 21 agencies plan to save $2.1 billion by 2015 – and another $2 billion by 2017. Which takes us to $5.3 billion in cost savings and cost avoidance.
So, seems FDCCI’s far from dead. That said, here’s a stat and a source for you.
As of May 2014, agencies reported a total of 9,658 data centers – approximately 6,500 more than reported by OMB in 2011.
All part of a successful consolidation push. And, people think I make this stuff up…
Do you think cloud is rising or sinking? Is there enough cloud in your life? Is cost avoidance the same thing as cost saving?
Ellison is footloose at Oracle. Mega merger murmurs – HP, EMC, Dell, and Cisco? iPhone 6 off the hook. Big tech headlines. But, did anybody notice Steven VanRoekel step down as Federal CIO? The answer, deafening silence. As D.C.'s neck deep in end-of-fiscal-year planning, it's an interesting time to consider what's ahead for Fed IT.
Who's on First?
The days when Uncle Sam's massive buying power shaped tech may be over. And, as CIOs jump CapEx to OpEx, procurement needs to consider who'll assume the risk if Feds don't want to clear cut contractors. Who'd capitalize a specialized government cloud if you only get a two-year contract? Why would you step up to fund certifications if the government doesn't buy what it sells? The Beltway as we know it may become a less congested place.
V for Victory?
From Vivek to VanRoekel – it's quite a journey. Who's the next Fed CIO has always been an exciting question to ponder. Not much buzz right now.
How's the end of year shaping up? Everybody's watching Teresa Carlson's numbers. Who should take the helm at the USS IT? If Bezos bought the Post, perhaps Larry Ellison wants in as Fed CIO? Is it time to merge agencies' IT operations – or consider a buyout from the commercial sector? What do you think?