Summaries for May 15, 2010

CARLETON HELPS HHS TURN ON HEALTH CARE REFORM DIME
What do you do when a sea change in policy renders obsolete the budget you wrought a year and a half ago? That's the challenge facing Mike Carleton, the CIO of the Health and Human Services Department.  The Obama administration took power in January of 2009, but it wasn't until early in calendar 2010 that the landmark health care reform bill was passed and signed by the president, creating new, unbudgeted responsibilities for HHS.   -> Read More

DATA SHARING IS AGAIN FRONT AND CENTER
This week's must-read list includes the Select Senate Committee on Intelligence (SSCI) summary of its investigation into the near-bombing of the Detroit-bound airliner last Christmas. The committee sent its full, classified report to the intelligence community (IC), but the 12-page summary is simply fascinating. Perhaps predictably, the report shows that information sharing within the federal government must improve a lot in order to achieve a measurable improvement in the government's ability to stop people like Umar Farouk Abdulmutallab before they board airliners.   -> Read More

                                                                            Advertisements



IRMCO 2011
If you missed this year's IRMCO conference, plan now to attend IRMCO 2011 and celebrate IRMCO’s 50th Anniversary. IRMCO 2011 will take place from April 10-13 at the Hyatt Regency Chesapeake Bay, Cambridge, Maryland. For details about IRMCO 2011, or to view presentations from IRMCO 2010, go to www.irmco.gov. If your company would like to be one of the limited sponsors at IRMCO 2011, contact Peg Hosky at peg@hosky.com or 202-237-0300. Sponsorships sell out every year so start planning now.

PROCUREMENT INITIATIVES REQUIRE A SCORECARD TO TRACK
Against the backdrop of multi-trillion dollar federal deficits for the next several years, and an estimated $30 billion reduction in contracting spending for 2011, procurement continues to get a lot of attention. Discussion over the bills still in Congress to change procurement are leavened by confusion over the definition of "inherently governmental" and what, exactly, the government plans to do for insourcing.  It's a complicated mix.  -> Read More

CAN POST-FISMA SECURITY PLANS INCLUDE THE CLOUD?
Those in leadership positions sometimes joke that it's like standing in a cemetery. You are over a lot of people, but you wonder if they hear you. That's especially true in the relationship between political appointees and career staff in the federal government, where the phenomenon of out-waiting the current crew of appointees is not unknown to the career workers.  That's not the case for a late April directive from the Office of Management and Budget concerning annual reporting of cyber security.  -> Read More

• Carleton Helps HHS Turn On Health Care Reform Dime

  Mike Carleton

  What do you do when a sea change in policy renders obsolete the budget you wrought a year and a half ago? That's the challenge facing Mike Carleton, the CIO of the Health and Human Services Department.

  The Obama administration took power in January of 2009, a month falling in the 2009 fiscal year. In February, the 2011 budget requests came out from the administration. But it wasn't until early in calendar 2010 that the landmark health care reform bill was passed and signed by the president. The new law instantly created new responsibilities for HHS, with the need for new supporting organizational and IT structures. To underscore the expansion of HHS, the department received expedited hiring authority for 1,832 additional people. Putting additional pressure on HHS IT resources is the still-ballooning open government initiative of the Obama administration. "It put me in the position of trying to decide how to shift to new, high-priority areas," Carleton said. "HHS has 74 major IT initiatives tracked by the IT dashboard," he said, referring to the IT-tracking web site created by the Office of Management and Budget last year. "And darn close to zero are health care or open government."

  Numerous health care reform initiatives will need IT support, not the least of which is the crafting of new regulations with their dissemination and comment periods. But the list also includes the creation of information portals for regional health care insurance options, formulation of high risk insurance pools, and citizen outreach plans to gauge what the public wants, exactly, in health care and from HHS. The health care bill itself has more than 450 specific provisions. It all adds up to new offices, new IT support, new Web sites. So, Carleton and his shop are seeking budget reprogramming authority, and redeploying contractors where the new requirements are within the scope of existing contracts. Perhaps more important, as new people come into the department with specific program responsibility, the CIO office can assist them.

  "People are charged with putting up new functions rapidly. We know they're unfamiliar with federal strictures, such as the Federal Records Act, privacy regulations, federal procurement," Carleton said. "I'm completely hooked into how we can show up to help the new people." With 54 federal employees and about 100 contractors, Carleton's shop is small compared to HHS as a department. That's because components like the Center for Medicare and Medicaid Services, Food and Drug Administration, Centers for Disease Control and the National Institutes of Health constitute the bulk of the department's people and expenditures. In all, HHS has 12 operating divisions and six infrastructure services central providers. The headquarters CIO office is primarily policy and oversight, itself spending only $120 million per year. Carleton expects the operating divisions to join headquarters in absorbing some of the new work coming in thanks to health care reform.

  The other big topic for HHS, Carleton said, is cyber security. Like other departments and agencies, HHS is preparing for the next phase of Federal Information Security Management Act (FISMA) reporting, which will emphasize continuous monitoring of networks, and feeding the results of the monitoring to the still-developing CyberScope system.

  "HHS has the same adversaries as everyone else -- organized criminals, nation-states, industrial espionage and mischief-makers who may have a disagreement with the department," Carleton said. Under the 2009 American Reinvestment and Recovery Act, HHS received $50 million to improve cyber security, and so Carlton's office has established a new computer incident response center, co-housed with HHS's Centers for Disease Control in Atlanta. The center is acquiring the tools that will enable continuous monitoring and protection, such as encryption, log analysis, and web filtering.

  Carleton added, "Our concept of operations will allow fast upward sharing so we'll meet our obligation to DHS to report. If we see something in one part of HHS, we can alert the others, even isolating that part of the organization that's affected."

  Return to top

---

• Data Sharing Is Again Front and Center

  This week's must-read is the Select Senate Committee on Intelligence (SSCI) summary of its investigation into the near-bombing of the Detroit-bound airliner last Christmas. The committee sent its full, classified report to the intelligence community (IC), but the 12-page summary is simply fascinating. Perhaps predictably, the report shows that information sharing within the federal government must improve a lot in order to achieve a measurable improvement in the government's ability to stop people like Umar Farouk Abdulmutallab before they board airliners. In my view, the certainty of the preventive function is logarithmic; each measurable level of certainty might require 10 times the investment and effort.

  Don't discount the importance of this concise report. It was no coincidence that within days of its release, the White House fired Dennis Blair, the Director of National Intelligence. Regardless of whether Blair was really responsible for some of the intelligence lapses of recent months, the incident, like the report, shows how far the government has yet to go.

  The SSCI report details what it calls 14 systemic failures of the IC, including the State and Homeland Security Departments, and the FBI. Several of them are technology and information-sharing related, such as (boldface denotes the SSCI's wording):

  • The state department did not revoke Abdulmutallab's U.S. visa: The committee says fuzzy logic tools or a passport number to search for the perp's visa would have resulted in independent revocation. The committee also recommends electronic notification of airlines by State of those whose visas have been revoked.
  • Reporting was not distributed to all appropriate CIA elements: SSCI cites "processes" that failed to make sure all need-to-know offices and people actually did know.
  • A CIA CTC [counterterrorism center] office's limited name search failed to uncover the key reports on Abdulmutallab + The failure of CIA CTC analysts to connect the reporting contributed to the failure of the intelligence community to identify Abdulmultallab as a potential threat. From these points, the committee recommends developing a "comprehensive plan to implement advanced information technology systems that can draw connections among related intelligence reports..."
  • FBI counterterrorism analysts could not access all relevant reports. The SSCI finds an analyst's computer set-up restricted her from accessing "relevant" intelligence reports, and that the FBI director should review all FBI IT systems to make sure people who need access to reports and databases, have it.

  The IC is also chided for operational and procedural issues, often in not using the information and tools available or distributing information too narrowly or too late. It all adds up to a giant opportunity to further refine the relationships and underlying processes required to build trust within the government.

  Often overlooked, though, are statutory and regulatory strictures that exist through the government that prevent data gathered for one purpose from being used for another. The policies don't apply in all cases, or not in the same way, but they have fostered a culture of defaulting not to share.

  Sometimes the government does a better job of information sharing when a crisis hits all at once on a large scale. Just after the April 20 Gulf of Mexico oil spill got underway, the Coast Guard set up an information sharing environment, accessible from the USGS Homeport portal. The Deepwater Horizon Response site gathers authoritative information not only for the many governmental organizations involved in the crisis, but for the general public as well.

  Return to top

---

• Procurement Initiatives Require a Scorecard To Track

  Against the backdrop of multi-trillion dollar federal deficits for the next several years, and an estimated $30 billion reduction in contracting spending for 2011, procurement continues to get a lot of attention. Discussion over the bills still in Congress to change procurement are leavened by confusion over the definition of "inherently governmental" and what, exactly, the government plans to do for insourcing.

  It's a complicated mix. When it comes to DOD, two things were going on at once last week. Mixed assessments came out for weapons systems procurement, with the Government Accountability Office having one view, and DOD itself another. A year since passage of the Weapons Systems Acquisition Reform Act, the GAO found that in the 42 of 102 major programs it assessed, DOD has made "continued improvement in the technology, design and manufacturing knowledge" about the programs. But the programs continued to be plagued by the classic problems of requirements creep, change orders and workforce issues. Meantime, Nancy Spruill, an acquisition executive in the Office of the Undersecretary of Defense for Acquisition, Technology and Logistics, told lawmakers of progress in getting weapons systems costs and schedules under control.

  In truth, savings near-term for the Defense Department will come from canceling programs, not from cost-savings epiphanies. Fresh from killing off the F-22 fighter in the Air Force, Defense Secretary Robert Gates is getting set to trim the Navy's sails. In a commencement speech, Gates said the armed services could expect level top-line budgets for the foreseeable future, and that the Navy will have to learn to do with existing carriers and submarines. Moreover, although the weapons acquisition act established independent cost assessment and trigger points for canceling programs, it is unrealistic to expect measurable results in 12 months.

  As I noted in the FedInsider #55, the House passed the IMPROVE Acquisition Act, which would apply reform to all DOD procurement. But that bill faces indifference in the Senate, which likely lacks the floor time to take up a second DOD procurement bill this year.

  But wait, as the ads say, there's more.

  Two differing bills in the House and Senate concern how much contracting information agencies would have to post online. Sen. Jon Tester (D-Mont.) would have agencies post not only contracting documents, but also "agents of the federal government, including records in the possession of government contractors." That opens the doors to subcontractor information and the potential posting of company-confidential data. A less-sweeping House bill is found in H.R. 4858. Whichever version prevails, if something is passed at all this year, the question becomes, to how many locations should agencies be required to post data? There are already multiple federal spending databases, including usaspending.gov, plus the stimulus site, recovery.gov.

  Beyond that are the competing proposals for contractor performance databases available to the public. Less objectionable to the industry is the 2010 Federal Contracting and Oversight Act, sponsored by the unlikely pairing of Sens. Russ Feingold (D-Wis.) and Tom Coburn (R-Okla.) It would beef up the Federal Awardee Performance and Integrity Information System (FAPIIS) with data on administrative proceedings about contractors, and keep information for 10 years rather than five. Worse, it would make FAPIIS accessible to all of Congress. Currently only contracting officers and certain committee members can see it. Expanding to all of Capitol Hill would ensure that adverse information would become public. The problem is that fairly routine matters such as overcharges can look worse out of context or to those unfamiliar with the government's admittedly byzantine processes. Recall that in 2008, Sen. Chuck Grassley and his staff seized upon a minor dispute between Sun Microsystems and the General Services Administration to deny Jim Williams appointment as GSA Administrator. Another potential problem is that resolution of contractor-government disputes might be left out of the databases, or the fact that often, it is the contractors themselves who notify the government of errors.

  Finally, there is the contractor-government question as to who does what. Early on in the Obama administration, if looked as if some sort of mass migration of work from contractors would flow into the government, which would cause a hiring binge that could only be fulfilled by poaching contractor personnel. That happened in a few cases, but nothing like a mass scale. Now some realism is coming into the discussion.

  The House Armed Services Committee, in its 2011 Defense Authorization language (the link is to an overview), notes the "bill prohibits the establishment  of  any  arbitrary  goals  or  targets  to  implement  DOD’s  insourcing  initiative.  It also requires reports from both DOD and GAO to examine the insourcing initiative." Meanwhile, Daniel Gordon, the administrator of the Office of Federal Procurement Policy, is taking a measured approach. He told a meeting of the Professional Services Council that his March 31 memo on what work is inherently governmental is still a draft, and that he wants input from industry before finalizing it. Inherently governmental is one thing, "critical" or "closely associated with inherently government" are two others. It looks as if the administration is realizing that it would be unrealistic and unwise -- no matter how fervently the employee unions wish -- to radically lessen the government's reliance on contractors. As the GAO notes, June 1 is the date by which contractors, and anyone else, can weigh in on the OFPP policy. You can add your comments here or go to regulations.gov and search for "inherently governmental" and check the "open" box under Comment Period.

  Return to top

---

• Can Post-FISMA Security Plans Include the Cloud?

  Those in leadership positions sometimes joke that it's like standing in a cemetery. You are over a lot of people, but you wonder if they hear you. That's especially true in the relationship between political appointees and career staff in the federal government, where the phenomenon of out-waiting the current crew of appointees is not unknown to the career workers.

  That's not the case for a late April directive from the Office of Management and Budget concerning annual reporting of cyber security. The directive has gained traction with an important agency.

  Agency managers themselves have complained for years that reports required by the Federal Information Security Management Act, or FISMA, amount to little more than paperwork exercises that don't necessarily help the cause of cyber security. So until Congress gets on with a rewrite of FISMA, OMB in April told agencies they should continuously monitor their networks for security developments "in a manageable and actionable way." They're asked to automate security monitoring. Exception reports generated by the management consoles of network cyber security tools are to be fed to the CyberScope database, to be managed by the Homeland Security Department. (Right now it is housed at the Justice Department.) Regular FISMA reports have been going to CyberScope, now continuous monitoring data will go there too.

  The approach OMB calls for is similar to one that's been in place since 2009 at the State Department, under Chief Information Security Officer John Streufert. He's reported to Congress dramatic results in improving security. Now NASA's CISO, Jerry Davis, has implemented a similar policy. Gone is the traditional C&A, or certification and accreditation, in favor of A&A, assessment and authorization. It may sound like a nitpick change, but A&A is arrived at by a different process. NASA is asking systems owners to extend their Authorizations to Operate based on assessments generated according to standards -- including continuous monitoring -- published by the National Institute of Standards and Technology in Special Publication 800-37.

  In my opinion, the OMB memo and the NASA action represent real progress toward improving cyber security. The loop to be closed now, aside from getting every department on board with continuous monitoring/reporting, is to extend the concept to cloud computing, since OMB is also pushing agencies to move IT functions to a cloud. (For example, recovery.gov, the stimulus money reporting site, is to be hosted in a cloud operation operated by Amazon.com.) At a NIST cloud summit last week, Federal CIO Vivek Kundra talked about the need for security, interoperability and data portability.

  Cloud providers should do their own continuous monitoring, and this information should also feed into CyberScope, as well as to the agencies that use a particular cloud. That's the purpose of the Federal Risk and Authorization Management Program, or FedRAMP, to make sure cyber criminals don't go busting into a cloud provider's infrastructure. Beyond this, security and data portability are related in a way that's not as widely recognized. Whether because a customer changes providers or upgrades service, or whether in the normal load balancing that occurs in complex IT systems, databases get moved frequently -- physically, not logically. Yet remnants of data can remain behind, as well as metadata. The existence, or at least the possibility, of these remnants is a cyber security concern that should be addressed by cloud operators.

  Keep in mind, FISMA as it has stood for 10 years still stands, and agencies remain under obligation to report as it specifies. 

  Return to top