Chris Vein

Chris Vein works for two prominent Obama administration officials who are always in the limelight. Consequently Vein doesn’t get a lot of publicity. If you do a search on his name, the “news” results shows very little.

And that’s all fine with Vein, the deputy Chief Technology Officer. He reports to the soon-departing CTO Aneesh Chopra and also to John Holdren, the senior advisor to the president for Science and Technology. Both have been highly visible – and in Holdren’s case, controversial – appointees.

“I don’t search out publicity,” Vein said. “I think it’s easier to get more done with people if you’re not in it to get your name out. My style is to be in the background.” The exception was Vein’s tenure as CIO of San Francisco, the job he held before joining the administration. He said, in that job, publicity sought him. In fact, in this 2007 video he refers to himself as the accidental CIO. The video conveys what you sense about Vein when talking to him, that his outer manner – relaxed, low-key and informal – somewhat masks an inner intensity.

(Vein is not the only person from the administration of former Mayor Gavin Newsom, now the lieutenant governor of California. See this FedInsider profile of Nani Coloretti.)

Accidental or not, Vein’s penchant for innovation evident now in the Office of Science and Technology Policy (OSTP) came into play then. He established a public-private partnership to bring WiFi to public spaces. He improved web-deployed services to citizens. He devised a program called Tech Connect with the goal of making sure every citizen in San Francisco would have broadband access to the Internet. He pushed so-called green computing, with double-sided printing and acquisition of sustainable products. Even server and data center consolidation were part of the agenda.

At the White House, Vein has a broad portfolio but he concentrates on three areas. Two are related. The first of these is the National Action Plan for Open Government which was extended to become an international effort. Vein represents the U.S., which has donated source code for www.data.gov.

“We are trying to leverage that project,” Vein said, “getting other governments to put their data on the same platform. We’re trying to remove barriers to that.”

Secondly, Vein is working to insure that federal agencies complete their own plans under the Open Government Directive, as the administration works on version 2 of the initiative.

And third: “I work with state and local government and remove differences and silos among branches of government,” Vein said. That means getting cities and states to put their data sets on data.gov. But more than making data available – which in some sense agencies have always done – the open government efforts also encourage development of applications, public engagement platforms such as Ideascale, and continuous improvement of web sites and the services they deliver.

You can get a simplified view via the open government dashboard, which includes links to each agency’s openness plan.

For Vein, the underlying theme for his work is innovation. He defines that as “a process of improving, adapting or developing products, systems or services to deliver a better result or more value to users.” He credits that definition to the Ideo group, and adds, “Innovation has lots of definitions, but most are missing something.”

Vein said he doesn’t necessarily look at innovation from a technology standpoint. “I’m one of the last remaining skilled generalists,” he quipped. But, he said, “We are finally able to achieve what technology has promised for so long. Technology has become ubiquitous and cheap. The challenges we face are based not on getting more money.”

Data.gov itself, the use of prizes and challenges, and use of rapid and agile development techniques have comprised an innovating way of approaching innovation. They’ve brought different constituencies together in, for example, health care. “Given the nature of competing interests and the fact that most people want to participate, we’ve used challenges and prizes. Hundreds of applications have been developed,” Vein said. “Walgreens and Aetna have built on ideas, scaled them in ways the government couldn’t.” Vein calls the government’s efforts in these types of collaborations that of an “urgent convener.”

Vein also works with agencies in the redesign of their web sites, both in terms of appearance but more importantly in functionality and how they are organized. He cites a new one, the Consumer Financial Protection Bureau as an example of a site developed with users in mind. Right now the CFPB is trying to get the mortgage industry to simplify all of the paperwork. It is running side-by-side versions of model disclosure forms and asking site visitors to comment on each one.

Vein is no newcomer to government, although he also had substantial jobs in the private sector. He joined the White House staff as a non-political employee during the Reagan administration and into the first year of the Clinton administration. He was a financial officer supporting the White House appropriation, and then a non-political senior advisor for internal administration and financial policy. His private sector stints include jobs at the American Psychological Association and federal contractor SAIC. He worked for San Francisco as deputy director and chief administrative officer before becoming senior advisor to and then CIO for Newsom.

To chill, Vein returns to his permanent home in the Sonoma Valley area of California where he is an avid cook.

The company famously says that starting March 1, it will institute a new privacy policy.  Google says it simplifies and unifies several policies it had for different services before.

Two things the federal market needs to keep in mind.

• Google services used under an enterprise agreement are governed by whatever the contract says, not by the privacy policy. The privacy policy applies to individual users, including federal contract users in their private lives.

• You’ll find the new policy makes a lot of sense if you keep in mind that Google is primarily an advertising sales driven company.

Google has written an easy-to-read policy. But it’s more than strictly a privacy policy. It is also a statement of what the company will do with data users give it, and – again as widely seized upon – from which they may not opt out.

At first glance, it does look like Google is gathering a lot of information. But I don’t think it takes the company outside of the mainstream of how any other major Internet companies enhance their services by using information. Amazon, for example, knows what you’ve bought and feeds up related items when you go shopping.

But for people at the National Oceanic and Atmospheric Administration, Google won’t be delivering contextual advertising or collecting locational whereabouts unless those, and similar services, are part of the contract under which the agency is using Google mail, docs, collaboration tools, and other products.

On the other hand, the information on user activity will be used to enhance service. I spoke with a Google spokesman who confirmed this. Here’s an example. If you create documents and share them regularly with the same group of people, Google will use that sharing data when you compose an e-mail in Gmail. As you type in one of the people with whom you share documents, you’ll see on your screen a suggestion generated by Google servers that you also copy the same people with whom you share documents. Google uses location information to speed the routing of packets within its own infrastructure, which has numerous data centers across time zones.

In the private user realm, federal employees will have to decide whether and how to use Google services. When using YouTube it can be disconcerting to have ads and link suggestions pop up that have uncannily relevance to you. My particular peccadillo is a love of pipe organ music, which no one I know shares. So when some people are fooling with FaceBook, I like to watch and listen to some of the great contemporary organists playing instruments all over the world. There’s nothing that’s not on YouTube.  Some of the ads that show up make it seem as if someone is tracking you personally, but it’s actually machine-generated.

Basically, Google says, it doesn’t share this cookie, unique machine identifier, name and e-mail address information. Exceptions are for legal reasons, if domain administrators (for group or business users) say it’s okay, and with the user’s consent. But also with “affiliates” and “trusted business or persons to process it for us” – and the policy is silent on exactly what that means.

Here are three key statements:

“When showing you tailored ads, we will not associate a cookie or anonymous identifier with sensitive categories, such as those based on race, religion, sexual orientation or health.

“We will not combine DoubleClick cookie information with personally identifiable information unless we have your opt-in consent.

We will ask for your consent before using information for a purpose other than those that are set out in this Privacy Policy.”

So it’s not as if Google is becoming everyone’s big brother. And for federal contractual users, the privacy policy is superseded by the contract terms.

The cybersecurity ship is finally pulling into the slip. The same Congress which found a way to agree on a permanent FAA authorization bill after several years and 23 continuing resolutions is coalescing around major cybersecurity legislation.

During the last couple of sessions, Congress scattered its intentions among so many bills, nothing passed. Now, in the Senate, the heavy lifting appears to be occurring in the Commerce, Science and Transportation Committee and the Homeland Security and Governmental Affairs Committee. The bill isn’t ready, but at the urging of Majority Leader Harry Reid, a comprehensive bill is expected. One Senator active on cybersecurity, Tom Carper (D-Del.), told Federal News Radio not to expect it until April 1, and he mentioned that that’s April Fool’s Day.

In the House, it’s the Homeland Security Committee, and more particularly the Subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies, chaired by Dan Lungren (R-Calif.). Last week the committee agreed on the PrECISE Act, or HR 3674. That stands for Promoting and Enhancing Cybersecurity and Information Sharing Effectiveness.

In some fundamental ways, the bills agree that the Homeland Security Department becomes the focus of federal cybersecurity efforts in .gov protection – which it de facto is anyhow – and for coordination with private sector operators of critical infrastructure.  But is it coordination or outright regulation?

There are differences. The Senate takes a slightly heavier-handed approach to direct regulation of private companies’ cyber practices. The House version establishes a National Information Sharing Organization, a trusted place for information sharing about cyber threats, funded for three years by the government and then by industry if there is uptake. But it does empower Homeland Security to gather data and establish standards for various sectors, but reserves the highest level of regulation for operators of networks, the failure of which would cause loss of life, endanger national security, or cause disruptions to the economy.

The House version would otherwise leave direct regulation to the discretion of the agencies, like the Energy Department and the electric grid, that already oversee different sectors.  The Senate appears to be headed toward more direct regulation by DHS. Its version has similar criteria to the House for which pieces of critical infrastructure would be subject to federal regulation.

The Senate bill is expected to require the White House cybersecurity advisor to become a Senate-confirmed position. That’s not the case with the House bill, although some members openly question whether Howard Schmidt, as the non-confirmed, mid-level advisor, has much direct access to the president.

To me it seems likely that agencies, particularly chief information security officers, will eventually lose autonomy to a governmentwide structure operated out of DHS. Surely a department with a broad mandate over significant pieces of the private sector would also have hegemony with the government itself.

Cyber is developing at another level. The National Institute of Standards and Technology has moved the National Strategy for Trusted Identities in Cyberspace a notch forward. It announced grants for industry or academia to develop ideas for some ID system other than the standard username/password scheme. Next week NIST holds a public meeting to further discuss these pilot programs. The money is not big, but the projects could catalyze development of commercial ID ecosystems that catch on where public-key encryption simply has not.

Not only has cybersecurity started to take shape legislatively, cloud computing security has started to take shape administratively in a meaningful way. You won’t find huge surprises in the grandly named Concept of Operations (CONOPS) for the Federal Risk and Authorization Management Program, or FedRAMP. The 47-page document does fill out the plan, long promised by The Office of Management and Budget and the General Services Administration. What might be surprising is how elaborate the procedures and project plan turn out to be.

If the federal government is going to be a leader in the adoption of cloud computing, it better hurry up.

Recall that under FedRAMP, cloud computing providers are to have their cybersecurity promises verified and certified once, so that any and all federal customers could contract for service without having to conduct their own, individual certifications and accreditations. The originator of the program, former CIO Vivek Kundra, rightly understood: That would be a prohibitively expensive and bureaucratic cloud-killer.

Given that both DOD and Homeland Security participated, along with NIST and GSA, in establishing FedRAMP, its security schema should be sufficient. Maybe not for the National Security Agency, but everyone else. The CONOPS is supposed to move from the CON stage to the OPS stage in June.

If nothing else, the CONOPS document puts all the key words in one place, including:

• JAB, or Joint Authorization Board, the government panel that gives “provisional authority” to a cloud provider. It’s made up of the CIOs from the aforementioned agencies. The CONOPS also establishes a subgroup called the JAB Technical Representatives that do the ground level work.
• 3PAO, or third party assessor. These will be outside groups - vendors, academics, non-profits are all eligible - who validate the provider as having the right controls in place such that its “security package” complies with the FedRAMP requirements.

What should concern agencies is not so much the somewhat baroque internal governance and operational norms of the FedRAMP and its program management office, but rather which 3PAO a cloud provider chooses to have itself assessed by, and the eventual list of cloud providers so they, the agency customers, can speed their move to cloud computing. The machinery won’t start spitting out accredited cloud providers in large numbers until deep into fiscal 2013, with wheels up in fiscal 2014.

The question arises, is FedRAMP holding back cloud adoption with its elaborate, risk-eliminating procedures?

Contrast that with the Defense Business Board, which, in its latest report is urging the Defense Department to get on with more cloud computing as part of a larger set of recommendations for modernizing IT. The report was widely cited in the media as being all about the job structure of the department’s CIO, Teri Takai. But its main message is found on slide 11: “Continuation of status quo has a negative ROI.” The Board calls a myth the idea that cloud computing is less secure than conventional ones, or that cloud system performance provides a lower performance level for users.

The Board also notes that “establishing [a] clear strategy and ‘concept of operations’ is essential.”

Well, that step is done. Agencies, both DOD and civilian, are in fact moving here and there to cloud implementations for the obvious first-round candidates, principally e-mail and office productivity apps.

The former Air Force CIO, Dale Meyerrose, now with Harris Corp., told me a number of years ago, the way to move in IT is to start small but scale up fast. That would be a good mantra for the federal cloud movement.

Dan Gerstein

Dan Gerstein doesn’t wear khaki any more, but his career in the Army still influences his approach to his current work: practical with a touch of inspiration. As deputy undersecretary for Science and Technology at the Homeland Security Department, Gerstein helps oversee a broad array of research and development activities. The common theme, ultimately, is effectiveness of the DHS mission of homeland protection both through its own people and through first responders at all levels of government. It does this by applying R&D to both knowledge-based and technology-based solutions.

“We’re becoming much more practical with the fiscal downturn,” Gerstein said. “But rather than retreat, the way to ride through this is to develop partnerships, focus on the homeland security enterprise, and get operational capabilities to those on the front line.” Thus lean budgets in 2012 and likely in 2013 focus the directorate on developments closest to practical payoff, the soonest.

The Science and Technology Directorate, headed by Dr. Tara O’Toole, consists of four components:

The First Responders Group focuses on law enforcement, EMTs, fire and rescue and the technologies they need.

The Homeland Security Advanced Research Projects Activity (HS-ARPA) conducts R&D for border and maritime security, cybersecurity, chemical and biological threats, human factors, infrastructure security and explosives detection.

An Acquisition Support and Operations Analysis group helps components within DHS solve problems related to the named activities.

And the R&D Partnerships group focuses on working with external groups in other agencies and entities such as the national labs and universities. Outcomes go both ways, Gerstein said. Sometimes the R&D group “looks at what can be transitioned to commercial use by the Transportation Security Administration or FEMA,” he said. But analysis done by a Science and Technology Directorate partner on wave action and tidal surges was available to help local officials better predict what to expect in Hurricane Irene last year. It’s what Gerstein called technology foraging – finding promising developments regardless of originating organization that can be converted to products quickly.

As you might imagine, Gerstein said his job varies, a lot. One day he might be looking at a project on how to detect pollen clinging to shipments. Pollen is sticky and its origin might yield a clue to illegal smuggling if residue came from a poppy field or illegal orchids.

On another day, he might be looking at research in how to combine behavioral analysis of individuals who might be hiding something with explosives detection for use as a systems deployment by local airport authorities in conjunction with TSA.

Other days, he might be considering developments at HS-ARPA. The focus: “Identifying projects necessary for completion.” HS-ARPA emphasizes technologies or process improvements that fill gaps in first responder capabilities. Examples are multiband radios that solve long-standing communications blockages, or a vaccine for hoof-in-mouth disease scientists can build chemically rather than using tissue. That was developed at the Plum Island Animal Disease Center off Long Island.

“We’re all about getting capability into the hands of first responders and the homeland security enterprise,” Gerstein said. He added, the directorate staff particularly looks for technologies or processes that produce big payoffs from relatively small investments. Of particular interest, he said, are solutions to problems related in theme but widely apart technologically.

It’s a complex portfolio of activities, not only because of the range of threats and technologies under evaluation, but also because of the inter-relatedness of the directorate’s activities with other levels of government. But the inter-relationships are what make investment all the more valuable. Gerstein tries to look at the directorate’s activities holistically.

“The best way to be prepared is to have a healthy society and good first response capability,” he said. That type of thinking sees the continuum from detection of something like a SARS virus, through the response capabilities in the area affected, to the mitigation and remediation stages.

Gerstein spent 26 years in the Army, then worked for a while in industry specializing in defense and security at L3 before going back into the government. He has extensive experience in national security affairs, with a special emphasis on biological threats and weapons of mass destruction. He shares special expertise in bio-technology with his boss, Dr. O’Toole. When not working, he quipped, “I write books that nobody reads.” He is modest in talking about his own biography, which you can find here. His wife works in the Army’s Program Executive Office for Soldiers, fielding uniforms and materials in soldier kits. Gerstein has two daughters, one an Army officer and one working for a contractor supporting the Army.



I’ve been watching Federal CIO Steve Van Roekel’s federal mobility strategy take shape, starting with the Ideascale online dialog.  And, I switched smart phone platforms last weekend. It all got me to thinking – remember the very earliest electronic organizers? The more potent ones could store maybe 100 names and phone numbers. Few people had e-mail back in the 1980s, fewer still had cell phones. The monochrome devices were so clunky it was faster and easier to maintain an old-fashioned paper address book.

The Palm Pilot changed all of that. Though gone from the scene, Palm showed that handheld devices could be inexpensive, useful and good-looking. The Palm V, though it looks primitive in retrospect, was practically a fashion statement. Palm also took many people into their first mobility experience, if by mobility you mean data access with a small device as opposed to a notebook computer and modem. It was the Palm VII, with its flip-up antenna.

I used a Palm VII on 9/11, stuck in the outskirts of Memphis, where my west-bound flight that morning was grounded. My job then was editor of Government Computer News. I had to look at pages of that week’s issue as faxed to my motel by the staff back in our Silver Spring, Md. offices. But because I had a folding, portable keyboard, I could write an editorial on my Palm VII in some simple text program and send it back via the low bandwidth Mobitex network that Palm used.

Eventually Palm combined its Palm OS devices with phones and joined the smart phone race. It lost out. But there is one technology in which Palm excelled that neither RIM/BlackBerry nor Apple can get quite as right.

Now the federal government is formalizing its mobility strategy. Several idea submitters mentioned integration with cloud, having good mobile applications, and user experience as all possibly enhancing the mobile strategy.

That’s where the technology I mentioned will be critical. The technology is syncing – the matching of information between mobile devices, desktop devices and cloud or virtual disks. Sync software has been around for a long time, but in my experience only Palm ever got it right, meaning that whether you made a change on the desktop version of your database or on the mobile copy, when you next synced, they matched. Perhaps it’s because there was no cloud copy, but I never had a problem syncing any of my series of Palm phones with the Palm Desktop database.

I had endless problems when I switched to BlackBerry. Now I switched to iPhone, and the first time I synced, my approximately 1,800 contacts exploded into 8,000, with many entries duplicating themselves not twice or three times, in some cases 12 or 15 times. This took many rounds of deduping and syncing before everything settled down. And I don’t have complete faith that the next sync won’t produce the same snafu.

Imagine that happening in a cloud a federal agency is paying for (according to capacity utilization) with 10,000 or 20,000 users. Besides the storage requirements, think of the drag on productivity from calls to help desks or endless fiddling by users in attempts to make their information usable.

In the federal setting, this is more than simply the convenience of having contact information or calendar appoints match. Field gathered data, case histories, and enterprise application data simply have to be up-to-date from wherever users access them.

With so many mobile platforms, applications, and operating systems available – especially in a bring-your-own-device model – keeping data organized will be a challenge.

You’ve got to love OPM director John Berry. He knows what to do when staring down the barrel of a shotgun – in this case, Congress. Berry is master of the big gesture supported by the bullet points.

For many years, the Office of Personnel Management has been unable to get a modern system going that could automate the calculation of annuities, or retirement benefits, for newly retired federal employees. The result is that it takes an average of six months for a retiree to get his or her proper annuity payments. Retirees get around 80 percent of their estimated annuity so they don’t lose their houses or go broke waiting for retirement benefits to kick in. But still, they earned the promised benefit, and it would seem like a simple matter for the government to be able to provide it somewhere close to the day they retire.

Now Berry is promising to wipe out the backlog in 18 months, and drop the claims processing time down to 60 days – not exactly the exponential improvements promised by IT. But technology solutions have eluded OPM.

The last attempt failed in 2008 when OPM fired Hewitt Associates, its contractor for the RetireEZ project. OPM had paid Hewitt $21 million. OPM and Hewitt settled out of court with undisclosed terms. Overall, OPM estimated in the middle of the last decade that the whole project would cost $290 million over 10 years.

The more rules and contingencies in a decision-making process, the more possibilities for outcomes. Those possibilities grow exponentially as a function of the variables. So given all the variables possible in a single person’s career history that go into figuring his or her annuity, building a calculating engine becomes difficult.

But in the meantime, OPM has a backlog of 50,000 applications and adding 2,000 every month.

So while OPM looks for ways to revive the technology approach, it will apply brute force. That is, it will hire some 80 people to do nothing but work on the retirement claims processing. And it will raise production standards for people reviewing retirement applications, expand work hours and spend what it has to on overtime.  OPM’s plan states that legal administrative specialists now processing 700 claims a year can increase that to 1,100 per year with better processes.

Plus, OPM will push agencies from which the retirees arrive to do a better job of sending accurate paperwork. It is even asking the Navy to come in to do a Six-Sigma review of how OPM processes claims.

But interestingly, the technology piece is on the back burner. The heart of the plan means adding people and tinkering with the paper process. OPM will meanwhile pursue “partial, progressive” IT improvements. It will “review and upgrade” systems used by the legal administrative specialists it’s bringing in, but that sounds like replacing Windows XP machines with Windows 7, not building a calculating engine to automate all of this.

Read OPM’s plan here. It will give you some idea of how complicated figuring out an individual’s retirement annuity really is.

Teri Takai

CIOs are off to a strong start in 2012. That was underscored by the Defense Business Board (DBB). As widely reported in the trade pubs, the DBB is recommending that the DOD CIO job get more authority and independence. Only FedScoop managed to get the report and post it online. The DBB’s own web site is six months behind.

The Board’s recommendations were in connection with the cloud computing drive and the OMB directive – which DOD has picked up on – for consolidating federal data centers. It says the deputy defense secretary must be the “CEO” of change, but the CIO should drive that change, force compliance and say no when necessary. The DBB also recommended service CIOs become chief implementers of cloud computing and data center consolidation, but be accountable to the DOD CIO. The Board recommends the CIO be a “strategic partner, not back-office support provider.” Strong recommendations.

Federal Times reported that Teri Takai, the DOD CIO, was in total agreement with the board’s recommendations. Hardly a surprising revelation.

Often, the civilian and defense sides of the federal government seem to be on separate tracks, sometimes parallel and sometimes diverging. But typically Office of Management and Budget directives are really aimed at the civilian side whereas DOD takes its orders directly from Congress. Those are the tendencies, if not the absolute reality in every case.

But the DBB shows a level of plumbing interconnectedness that’s rarely noticed. The Board is composed of industry executives, some of whose companies do business with both civilian and defense agencies. In any case these people are certainly aware of the total IT marketplace across the federal government. The main guy behind the CIO report is David Langstaff, CEO of TASC Inc. TASC, a mid-sized development and engineering company, has contracts with both DOD and civilian agencies such as the FAA and NASA.

The DBB latest recommendations aren’t, so far as I can tell, directly related to an August memo from then-OMB director Jack Lew about expanding the authorities of CIOs. To fulfill the now-famous 25-point IT reform plan, OMB said that CIOs would need to move beyond policy-making and infrastructure maintenance (what I call the “computer guys” syndrome) to “encompass true portfolio management for all of IT.”

Now loop back to the DBB report. Note that in arriving at their findings, members interviewed a number of federal CIOs, including those of the armed services but also the CIO of Homeland Security (Richard Spires) and the federal CIO (Steven Van Roekel, who of course works in OMB). I’m guessing one or both of those CIOs referenced the changes detailed in the Jack Lew memo.

On the practical level, Takai is going to have to be a shrewd infighter, presuming the defense secretary accepts and implements the DBB’s recommendations. Memos, even policies, don’t guarantee action. There is a lot going on at DOD, with many swirling crosscurrents of influence vying for flat or shrinking dollars. For Takai, having authority over cloud computing and data center consolidation is proxy for having authority over many agencies’ applications, facilities and staffing. Agencies like the Defense Information Systems Agency and the Armed Services.