CSC’S SAM VISNER THINKS BIG IN CYBER SECURITY
Government contractors are caught in some fearsome cross currents these days. But that doesn’t necessarily slow them down. The government has a big requirements for cyber security services, and CSC is responding.   -> Read More

PROGRAMS GO OFF THE RAILS, BUT IT’S NOT JUST THE P.M.’S FAULT
Are federal agencies showing a growing competence gap? There have been some recent developments at the Minerals Management Services, the FAA, and the GAO. All this occurs as profound changes mandated by legislation affect the government.   -> Read More

                                                                            Advertisements



IRMCO Celebrates 50 Years of Service to Senior Government Managers

For the past 49 years GSA has delivered management insight to senior government executives and managers at the annual IRMCO conference. This year IRMCO celebrates its 50th anniversary! After half a century, IRMCO is still the annual forum where the most significant and timely issues impacting the government management communities are addressed, so don’t miss this opportunity to gain insight on vital policies and connections.

Plan now to attend IRMCO 2011 from April 10-13 at the same fabulous location as last year, the Hyatt Regency Chesapeake Bay in Cambridge, Maryland. For details visit www.irmco.gov. Registration will be available September 1, so register early to receive a discounted rate.

WASHPOST STORIES CREATE SENSATION; WILL THEY PRODUCE CHANGE?
Can one newspaper article change the direction of the federal budget? The gigantic, multimedia Washington Post series that started Monday chronicled in exhaustive detail the extent of the nation’s intelligence gathering and analysis activities, even down to the real estate building they’ve sparked. Will the Hill overreact?  -> Read More

• CSC's Sam Visner Thinks Big in Cyber Security

  Sam Visner

  Government contractors are caught in some fearsome cross currents these days. Executive compensation, wrongdoing and every little contract action they receive could be posted on Web sites. The government is working out a slew of procurement rule changes regarding what is inherently government and the width of the gray area in which contractors can operate. Substantial portions of the federal government's budget-reduction goals for 2011 and 2012 are to come from cuts in contracting according to the administration.

  Still, government and the contracting community need one another. Feds, from procurement policy chief Dan Gordon on down, all acknowledge that. So at many levels, business goes on as usual, because it has to. Cyber security is one area in which industry-government collaboration is a way of life.

  Systems integrator CSC is one example. It has been steadily building a cyber security unit, now numbering 1,500 people worldwide. It serves both commercial and federal civilian and military customers. Sam Visner leads CSC's cyber strategy. His complete title: Cyber Lead and Vice President, Strategy and Business Development North American Public Sector -- Enforcement, Security and Intelligence. It's a mouthful, but essentially he is the head brain for cyber in CSC.

  Immediately before joining CSC, Visner worked for SAIC in a similar post. Earlier, he was chief of Signals Intelligence Programs at the NSA, and he's served on a number of federal advisory panels. He is an associate of the National Intelligence Council, and an adjunct professor in the International Affairs program at Georgetown University.

  Visner's, and CSC's, strategy has two major components. One, assemble a team with both cyber and vertical business expertise. And two, apply research and development to the application of commercial cyber security tools to enable a comprehensive approach.

  For the federal government vertical, Visner has hired some heavyweights. For example, Carlos Solari is the vice president for cyber technology and services. Solari, of course, was a White House CIO during the Bush Administration and program manager at the FBI. Also in the group is Andy Purdy, who carries the title of chief cyber security strategist. Purdy was an author of the National Strategy to Secure Cyberspace among other federal posts. He was also part of the team that set up the National Cyber Security Division and the U.S. Computer Emergency Readiness Team at the Homeland Security Department.

  According to Visner, CSC's strategy is to go beyond expertise in existing commercial products by using research and development to expand them and develop new threat resistance strategies. "Many managed service providers use commercial products, which may not be good against the worst zero day threats," Visner said. "We have the infrastructure for the execution and R&D."

  Solari said the goal of cyber attacks "is to get to the business functions [of targets], to steal data and the intellectual capital of an organization, and to disrupt operations." Thus the cyber security group is developing a tool, based on a commercial product, that will be able to access vulnerabilities of web applications -- a growing threat venue -- as well as find SQL injections, allow imposition of proxy servers to trap incursions, and ferret out threats to databases that back up web applications. Ultimately, the tool will enable CSC to advise clients on how to fix their code to close vulnerabilities.

  Visner added, "Our value added is, we bring use of the tool with access to customers' architecture, their infrastructures," Visner said. CSC wants to be in on the cyber considerations when clients are first developing code for new applications, in addition to monitoring apps already running. He wants to bring together the elements of risk management, safe code development, and continuous network and application monitoring into what Visner called intrinsically secure architecture.

  Beyond the technicalities of protecting online assets, Visner believes business and government agencies sometimes approach the dollars spent on cyber security too much as a pure cost, what he called "last-dollar spending. How little can I spend for minimum compliance? That's security cyber as a bare requirement."

  Instead, there is commercial or other publicly-perceived value in the right to say an organization is secure, Visner said. "Smart enterprises, public and private, make cyber a competitive discriminator" and the cyber spending becomes "a first dollar that creates added value." In his blog, Visner cites Digital Britain, a report in which the U.K. government urges British businesses to become more competitive by showing they can be dealt with securely.

  He also urges organizations' leaders to stay calm about cyber security. "We need to be serious, but not take an apocalyptic or catastrophic approach," he said, adding that while it might be possible to button down everything from operating systems to databases tightly, a goal of risk management and cyber security strategy is to enable innovation. "We can make it secure but expensive and closed, and hard to use. We need infrastructures that can serve many missions and architectures."

  Return to top

---

• Programs Go Off The Rails, But It's Not Just The P.M.'s Fault

  Are federal agencies showing a growing competence gap? Some recent developments:

  • The Minerals Management Services, popularly held to account for insufficient oversight of BP's and Gulf of Mexico drilling regs generally, has been fiercely reorganized into three separate pieces: Bureau of Ocean Energy Management, Bureau of Safety and Environmental Enforcement and the Office of Natural Resources Revenue. The wheels for this transformation were set in motion back in May. The apparently successful pinching off of the rogue BP well underscores the need.
  • In June, a tough FAA inspector general report came out on the NextGen air traffic control upgrade. Not surprisingly, the IG noted the need for better requirements -- ones that are both realistic and firm. Creeping requirements has been the bugaboo of many an FAA project. There are many more recommendations, and the IG noted that FAA management concurred with them. One IG statement: "FAA has not modified its Acquisition Management System so that it can gage the impact of a single NextGen investment on multiple initiatives or manage efforts in an integrated way. FAA's tendency to focus on individual programs has also limited its ability to access how it will concurrently implement multiple, interdependent programs and mitigate any associated risks." Translation: With so many concurrent projects, the left hand doesn't always know what the right hand is doing, or what its impact will be.
  • This month, a Government Accountability Office report numbering 85 pages looked at management of major acquisitions by the Homeland Security Department. GAO recognizes that DHS management is making progress in acquisition oversight. The department's Acquisition Review Board has taken a close look at 24 major, complex acquisitions -- but not at another 40 in the pipeline. The GAO looked at 18 projects worth $100 billion over their lifecycles. Fifteen were underway in terms of having actually awarded contracts. Of the 15, 12 were already over budget and all of them late. Although one of the smaller projects, the Secure Border Initiative has the worst cost-busting in percentage terms. Its initial estimate came in at $284 million. That's ballooned 564 percent to almost $1.9 billion. Oops. A month earlier, the Homeland Security inspector general's office came out with a report carrying a wonderfully understated title: "Controls Over SBInet Program Cost and Schedule Could Be Improved." It strongly cited the need for more contractor oversight, stating, "The low number of government personnel to oversee contractor activities increased the SBInet program office's risk that program cost and schedule could not be adequately managed [Page 9]."

  All this occurs as profound changes mandated by legislation affect the government. Financial overhaul, which President Obama signed Wednesday, creates a Consumer Financial Protection Bureau within the Federal Reserve. It will have vast powers over banking, including instituting price controls on banking products. Yet it will be subject to the veto power of a council of bank regulators yet to be formed. HHS will be severely stressed by a still-unknown number of changes brought on by national health insurance reform. Even the State Department, according to the Commission on Wartime Contracting, is going to have trouble managing 200,000 contractor workers in Iraq once the military largely leaves and transfers management of the country.

  The problems cited in the various reports reveal problems that are primarily within agencies, and those that involve the management of government-industry relationships. It seems as if the government, in an expansionary mode, has also expanded the number and scope of large projects, with more to come in finance regulation, health care and possibly energy. Yet the underlying issues are nearly always the same:

  • Too few qualified people to ride herd, not so much on contractors per se, but on projects.
  • Too much growth in requirements and change orders, rather than doing what so many managers say they will do in conference speeches, which is go for a solid 80 percent solution that is predictable in terms of functionality, schedule and cost.

  But you can find clues that, over time, these ambitious projects can right themselves. After a long and expensive start, tax systems modernization, which you don't hear much about these days, has settled into a rhythm of predictable deliverables. Ditto for the U.S. VISIT program at DHS: In the Page 18 chart on the IG report cited above, a U.S. VISIT project, Unique Identity, had an initial acquisition cost estimate of $160 million that dropped to $79 million. To be sure, it was flagged for programmatic weaknesses, including "Unapproved or unstable baseline requirements, lack of timely approval of acquisition documents, program office workforce shortages and lack of sustainment planning." There are lingering technical problems as well, such as development of a back-end system to support a years-ago change from two fingerprints to 10.

  Still another clue to the government's way out of these problems is what the U.S. VISIT staff told the GAO: "According to program officials, capabilities and requirements constantly change as a result of new legislative and administrative mandates." Some things never change.

  Return to top

---

• WashPost Stories Create Sensation; Will They Produce Change?

  Can one newspaper article change the direction of the federal budget? The gigantic, multimedia Washington Post series that started Monday chronicled in exhaustive detail the extent of the nation's intelligence gathering and analysis activities, even down to the real estate building they've sparked. It chronicled the extent to which the government relies on contractors.

  I mention this article because it is the talk of the town, and it raises many questions for the IT and federal management communities. It was noted by acting Director of National Intelligence David Gompert. It came up at the confirmation of James Clapper to be permanent DNI. It came up in White House daily press briefings. Sen. Kit Bond (r-Mo.), the Post itself reported, cited the series in arguing for passage of a revised intelligence authorization bill.

  Stories like that can have the effect of changing public policy. In this case, the effect might be to accelerate what is shaping up to be a tight discretionary spending climate for 2011 and 2012. As FedInsider pointed out earlier, Defense Secretary Robert M. Gates has embarked on a trimming program for 2012 that will affect the armed services as well as DOD agencies. But his focus has been on management trimming at headquarters and unneeded weapons systems.

  On the civilian side, the Obama administration has set a goal of halving the current record deficits by the end of the first term. Thus, repeated guidance going out to agencies from the Office of Management and Budget to eliminate low-priority programs. Still to come is guidance on identifying programs representing 5 percent of spending with the lowest impact.

  But the administration is also tightening up spending on contractors. Some of this will be accomplished through attrition if the above-mentioned low priority programs do in fact disappear. Some will come from pulling back in-house, via adjusted policies on inherently governmental work, what has or had been done by contractors.

  Contractors and contracting are coming under increasing scrutiny. For example, there is the DOD interim rule to post all contracting bundling on a public web site. There is last month's presidential order to create a do-not-pay list of delinquent contractors, by combining several existing databases into one that contracting and finance officials can check against.

  The inherently governmental question so far has not been about wholesale conversion of contractor jobs to government. (Some of this has occurred, but it's safe to say that more people go from government to the private sector than the other way around.) There are several reasons why it would be impractical, top among them is that there are not enough skilled people to go around, the government hiring process is slow (even though reforms are underway at John Berry's OPM), and in the end, Congress sets agencies' workforce and acquisition dollar balances.

  Here is one excerpt from the Post story:

  "Contractors kill enemy fighters. They spy on foreign governments and eavesdrop on terrorist networks. They help craft war plans. They gather information on local factions in war zones. They are the historians, the architects, the recruiters in the nation's most secretive agencies. They staff watch centers across the Washington area. They are among the most trusted advisers to the four-star generals leading the nation's wars."

  Many more paragraphs are devoted to the levels of contractors and contracting support for the vast array of intelligence stories.

  The danger here is overreaction by the Hill when contracting is viewed in a telescoped fashion. While the story paints a dramatic picture in toto, each agency decision is made individually, depending on its requirements and available contracting and personnel resources. Moreover, the intelligence and defense domains may have a higher contractor concentration than other domains. A one-size-fits-all is unlikely to apply across government. Clapper, while telling the Senate Intelligence Committee that the Post stories are a bit shrill for him, said nevertheless that deciding the government-contractor balance would benefit from a stronger "organizing principle."

  Post reporting paints a picture of an ungoverned, unchecked and fast-growing intelligence-industrial complex. Clapper said, no big deal. The reality is somewhere in between. Reading the blog communities' reactions, you'll find predictable take-aways, depending on the bloggers' point of view. Let's just hope lawmakers and the intelligence community itself use the series as a data point in a rationale approach to change.

  Return to top

---