Owen Barwell points out something that, when you think about it, sums up many of the government’s financial and programmatic challenges.

“We understand the budget of everything, but the cost of nothing,” Barwell said. With agencies coping with innovating under non-growing IT budgets, cost understanding is critically important.

As the acting chief financial officer of the Energy Department until this week, Barwell is one of those professionals who toggles between government and industry at the career level. He’s about to depart for the private sector, but he’ll still be around. Barwell has just become managing director of Grant Thornton’s public sector practice, where he’ll work with other federal CIOs in a consulting capacity.

In an interview with FedInsider, Barwell described the complexities of the CFO function at Energy and some of the larger challenges facing all federal CFOs.

At Energy, Barwell said, the first issue is the range of subject the department deals with. “There are a lot of subject matters to get your arms around. The CFO needs to understand the issues and missions.” For Energy, that encompasses everything from nuclear weapons security to windmills. Second: “We use every financial instrument available. We pay federal employees; we award money to Energy labs as government-owned, contractor-operated entities; we do procurements; grants; and loan guarantees.”

That diverse range of programs all involves the CFO’s office. But Barwell said the authorities written into the 1990 CFO Act don’t automatically guarantee the lines of responsibility needed.

“You need good relationships with the organizations. You have to use softer measures,” Barwell said. “The CFO has to develop a culture that is professional – analytic, curious, value-added. You want the best outcomes for your customers, but also be able to say ‘no.’”

The CFO’s office at Energy includes a function that helps make it able to council the technology organization. Besides financial oversight and budget formulation, Barwell said, the CFO office also operates department-wide applications for procurement, HR and business functions. This responsibility, coupled with the financial skill inherent in the office, gives the CFO insight into a top challenge CIOs are facing: How to reduce operations and maintenance costs of legacy applications and infrastructure in order to free up dollars for new, innovative applications.

Are such savings realistic? Barwell said, “The short answer is yes, but not at the scale people might believe.” He added, “It’s imperative to develop a cost baseline. There is rising pressure from the CFO to understand what things cost.” For IT, Barwell said, the big cost drivers include software licenses; duplication of applications; network and back office operations; and security.

He added, “Intuitively, we know going to the cloud for commodity IT makes sense. Telework, mobility in the workforce – the private sector has already figured this out. All of these can reduce transaction costs. But we’re not that advanced in understanding our cost structures.”

A native of the U.K. Barwell is now a U.S. citizen, having come here in 1997. As a Price Waterhouse consultant to NASA when the company merged with Coopers and Lybrand, he joined NASA as a career employee.  Barwell worked in NASA’s business transformation office before joining Energy in 2007. Earlier, in the U.K., he worked financial positions in British Railway and electrical utilities, national entities that had been privatized during the Thatcher years.

At Grant Thornton, Barwell hopes to work with public sector CFOs on what he sees as their main challenges in the years immediately ahead. Chief among these is budgetary constraints. Also, what Barwell called a reporting model.

“We spend too much time producing statements, not necessarily meeting the needs of the general public,” he said. That involves figuring out ways, he added, of concentrating on internal controls and simultaneously displaying agency financial information that makes sense to the average taxpayer.

In a larger sense, Barwell thinks CFOs will have to contribute to assessing not just financial risks but also enterprise risks. He reasons, CFOs have an enterprise view of agencies and departments and are in a good position to see risks and challenges six months or two years out.

As an example, he cited budget formulation. “The CFOs can develop scenarios for continuing resolutions, long or short. They can model scenarios and how to mitigate no-year appropriations and the need to manage cash.” He noted the upcoming presidential elections and the uncertainty it brings. “What will transition issues be, the financial and enterprise risks? What about continuity of operations during transitions?” – which can occur in a sense even if the incumbent is re-elected but brings in a new team.

Said Barwell, “The next two to five years will be an interesting time for CFOs. They have a lot of stuff on their plates.”

Federal CIOs are beginning to think creatively about how to use cloud computing. At the same time, many of them are no longer viewing cloud computing as a major driver of cost savings, but more one of cost avoidance.

Cost avoidance has its own virtue, magnified when budgets have stopped growing, as they have for IT. But it’s not the same as reducing costs immediately. And this could have implications for whether the Office of Management and Budget’s manic strategy for IT yields the hoped for tens of billions in reductions (see next post for analysis of the latest developments in shared services).

At a recent Meritalk cloud computing briefing held on Capitol Hill, Mike Wash, the CIO of the National Archives and Records Administration (NARA) and former CIO of the Government Printing Office gave a telling example of how cloud can cause cost avoidance.

NARA is the ultimate repository of Census Data. When NARA ingests a Census-sized data set, Wash said, there’s a sudden and large demand for accessing that data. Almost as quickly, the surge falls off and goes to a steady state basically as long as the republic lasts. What a great case for cloud storage of such data, with cloud’s purported rapid scalability and de-scalability. Plus, once the data is tucked away, it is never changed, only viewed, so there are no big I/O demands. The archival quality, no pun intended, is ideal for a cloud, monthly-fee type model.

Wash said Census delivered the 16 terabytes of the recently-released 1940 census data on racks of computer and storage gear. Literally a mini data center on a truck driven across town from one agency to another. Why? There’s not enough bandwidth to transfer the data from one agency to the other electronically in any reasonable amount of time. But the truck didn’t go to NARA, it went to a private geneology company that will host it on a no-cost contract basis. To build a data center to support the data in perpetuity, Wash said, would have cost between $4 million and $5 million. So, cost avoidance.

NARA wasn’t so lucky with the 2010 census data, which amounts to 300 terabytes. “It arrived in 15 or 16 racks we have to take care of,” Wash said.

A more promising chance at actual cost reduction comes from Homeland Security, where CIO Richard Spires is planning on rolling out a pilot project he dubs “workplace as a service.” The idea is to combine desktop ⎯ that is, user profile ⎯ virtualization and light, mobile devices with monthly data plans. He wants WaaS to coincide with completion of the FedRAMP security certification project OMB promises to complete in June.

Such plans, though, might carry initial costs before the long term savings in the form of lower operating rates can settle in. Costs include:

• Virtualizing the desktops, and ensuring there is a certifiably safe cloud services provider to host the virtual users. The alternative is to find another agency with available data center capacity. But such a facility would have to be technically capable of housing and ventilating the racks of blade servers virtual environments require, which can be quite different from traditional servers or mainframes.
• Recoding or recompiling applications so they run on smartphones and tablets. It’s doable but non-trivial. And productivity applications are close to futile on anything without a real keyboard.
• Buying devices, and then securing them. That latter step is likely to require additional vendors and software licensing.
• Disposing of turned-in traditional notebook PCs for wiping and recycling.

Although cloud computing might be the policy of the land, even creative and intuitively valuable solutions like the one DHS’ Spires is planning will require rigorous planning and strong business cases to document savings or cost avoidance, whichever it turns out to be.

We now know how federal CIOs are expected to come up with future savings. The Office of Management and Budget has released its promised strategy for shared services. To begin at the conclusion, Federal CIO Steven VanRoekel has given CIOs an enormous assignment in a strategy that promises to change the IT landscape in a big way.

From my reading of the strategy, I see OMB and VanRoekel trying to accomplish three things:

• Functionally, the strategy lays out in great detail the preferred approach for accomplishing something the OMB has been pushing agencies to do since the Bush Administration. It even references the Lines of Business (LOB) initiative of that era. It sets forth several deadlines for CIOs, the first of which is August 31. That’s when CIOs have to submit their “enterprise roadmaps” for business and technology architectures, IT asset inventories, commodity IT consolidation plans, and their LOB improvement plans.

• Policy-wise, it ties together a Chinese menu of initiatives OMB’s been launching. For example, it has several references to the PortfolioStat session, in which CIOs declare their inventories of IT projects and services. You can’t consolidate and share until you know what you’ve got. Equally important is the strategy’s emphasis on the Future-First initiative. Future-first requires agencies to fundamentally change how they develop IT by using modular development, a common enterprise architecture, and assuming multiple customers of a given service.

• It expands the definition of shared services. The strategy includes but also expands on the LOBs. It imagines a day when departments will share mission-critical applications, and not just commodity services such as payroll or e-mail.

The work doesn’t end August 31, though. By December 31, everybody must have migrated at least two IT services. In theory at least, agencies were to have identified those two services already.

OMB has identified what it says are $46 billion dollars worth of duplication among 4,397 IT investments (see a summary chart in Jason Miller’s news report). So the theory is, if the government can consolidate, say, half of them, it could free up $23 billion for IT innovation. VanRoekel has said repeatedly that the goal isn’t to reduce IT spending by the government, but rather to stabilize it and change the mix of how the money is spent.

As an aside, I am presuming VanRoekel will come up with a plan to ensure that future, innovative IT development ⎯ whatever form it might take ⎯ will avoid duplication.

Some of the risks to the Shared Service strategy I see are these:

• Everybody is expected to play both sides ⎯ consumer and provider. What is the decision process for deciding among two equally good offerings?
• CIOs in a sense now have double responsibility. They must continue to provide IT services to their own departments. But now that must oversee a continuous improvement process for IT services they provide to other agency customers.
• Maintaining a promised online catalog. The CIO Council’s shared services subcommittee gets the task of keeping the master catalog of available shared services. I see challenges in accuracy, timeliness and completeness.
• Public versus private. What about contractors who provide agencies with IT services. How will they fit into the shared services model? If an agency opens its service to other agencies and part of that service is contractor supported or supplied, how will the government handle questions about software licensing and competition in contracting?

Of all the requests for information coming out lately, to me one of the most interesting is from the Defense Information Systems Agency. Go here to download the draft document describing what DISA is up to and what it wants from industry.

Dubbed the Global Network Services Capability Needs Document, the draft RFI, DISA points out sharply, “is NOT for market research. Please do not respond with company information and/or solutions. DISA’s intent is to collaboratively write, Government and industry together, the capabilities the GNS contract should acquire.”

How’s that for mythbusters? The RFI came out roughly as the Office of Federal Procurement Policy was issuing Mythbusters II. MBII follows the original MB, which came out in February 11. This time, OFPP – now under the acting leadership of Lesley Field – is aiming its myth-busting not at government but at industry. Apparently DISA got the message, and hopes contractors do, too. Even myth-busting carries risks, because in pre-RFQ communications companies don’t want to slide into requirements writing. That would preclude them from participating as product or service contractors.

Anyhow, DISA is converting how it buys bandwidth around the world. According to the synopsis, DISA is replacing several existing contracts with a single worldwide one, specifically, the Defense Information Systems Network (DISN) Access Transport Services, or DATS; the DISN Transmission Services-Pacific, or DTS-P; and Joint Hawaii Information Technology Services (JHITS). DISA also says it wants to cut its use of Networx, the telecommunications services offered through the General Services Administration.

It seems to be adopting the buy-everything-as-a-service mode. The call is for information on how to globally lease commercial, “media-independent network capacity services…anywhere worldwide…” Plus, DISA wants providers to also include connections to interfaces on Government owned equipment. It says it will lease or buy gateway equipment that ties the telecom services to basically the Defense Information Systems Network (DISN).

The agency is planning a long term engagement in unifying all of its wireline and wireless communications for the military services. It is asking vendors for what DISA’s communications capabilities should be by 2020.

Overall it looks as if DISA, in its mission of supplying communications capabilities to DOD components anywhere, is trying to reduce costs by reducing duplication in contracting operations. In another sense it appears to be creating a worldwide “cloud” of high speed services from which Defense agencies can draw. And it looks as if the agency is using the latest techniques in gathering industry input.

NextGov’s Bob Brewin points out in this blog post, DISA is seeking that industry input using social media means. It will leave a wiki available for public comment for 30 days on APAN, the All Partners Access Network. So DISA is up to date, if not on the specific tool, certainly with the zeitgeist of how industry can best weigh in. One wonders if GSA is eyeing how DISA fares, as the civilian-side supply agency contemplates the eventual successor to Networx.

A true “duh, why didn’t I think of that before” move occurred this week. Without the requirement of any enabling legislation, a few of the Obama administration tech whiz kids got together to form a council of federal CTOS - chief technology officers. I mention enabling legislation because the pattern for the CTO Council, the CIO Council, is required by the mid-’90s Clinger Cohen Act that established the CIO position in departments. Now all the major bureaus and independent agencies have them.

The CTO Council idea, in retrospect, makes logical sense. If you look carefully, the Obama administration strategy has been to re-orient the CIO position close to what was envisioned under Clinger-Cohen. In that sense, it’s not really a technology position, but a management one. The Obama Office of Management And Budget has pushed for CIOs to have budgetary authority and portfolio management.  The 25-point IT management improvement plan is at least as much a management document than a technology prescription.

More precisely, it looks like the CIO Council, judging by its technology portfolio, is more concerned with policy issues and technology where it cuts across all agencies. Under the “what we’re working on” tab at its web site, the CIO Council lists IT reform, data center consolidation, cloud computing, transparent government, cybersecurity and IT workforce.

That leaves applications to CTOs. CTOs have established a couple of important online initiatives that are application-like, such as the Blue Button initiative. VA CTO Peter Levin called out this initiative during the AFCEA event where he described the new council.

Todd Park just became the chief technology officer for the administration, a job that resides in the Office of Science and Technology Policy. But, according to news reports of the council formation, he will not chair it. Instead it will be chaired by direct White House staff. Specifically, Jonathan McBride, White House deputy director for presidential personnel. He was behind the so-called Technology Cohort, a sort of multiple-agency brain trust also lead by the presidential personnel office.

This cloud of OSTP, appointee techies throughout the agency, and the White House has been behind the stream of challenge grants and prizes that use social media platforms to solicit ideas. So the new council’s focus is likely to be antipodal to the governmentwide issues of the CIO Council by concentrating on highly focused ideas for agency-specific problems. Levin said as much, quoted in Federal Times, referring to “very specific, nitty-gritty technology issues.”

A small but important piece of news is that the CTO council, like the CIO, Chief Human Capital Officers, and Chief Financial Officers Councils, will include both career and appointed CTOs.

With the CIO Council concentrating on its list, and the CTOs assigned to the “nitty gritty,” where does that leave enterprise applications and development projects subject to the TechStat reviews? My guess is those will be supervised by both CTOs and CIOs, with the weight going to CIOs. I say that because the person doing the most talking and reminding about TechStat is the Federal CIO, Steven VanRoekel. But program managers whose missions live and die by these projects will also have to keep a sharp eye out. The danger here is parallel to the adage about supervising children at a swimming pool: when everyone is watching, no one is watching.

Until now, CIOs and CTOs have existed as sort of blurry adjuncts to one another. Now the roles are more clearly delineated. Their challenge will be making sure nothing is lost in between.

In FedInsider #98, I wrote 2012 would be the year of cybersecurity. It looked as if Congress would finally pass comprehensive cybersecurity legislation so agencies and the federal IT market could establish a more definitive path.

I may have spoken too soon.

A fast review: In Congress’ last session and the one before that, multiple cyber bills found their way into committees. It took until this session for those bills to coalesce into single bills. In the Senate, the Cybersecurity Act of 2012 came out of the Commerce, Science and Transportation Committee and the Homeland Security and Governmental Affairs Committee. The House Homeland Security Committee has its version. It looked as if reconciliation wouldn’t be difficult.

But in recent weeks competing versions of both bills have sprouted. A group of Republican Senators led by John McCain introduced the SECURE IT Act. Large tracts of the SECURE IT Act contain identical language to the earlier bill. Both bills rewrite the Federal Information Systems Management Act (FISMA), the most important provision to federal agencies.

But it differs in one important respect. It rejects the notion of having the Homeland Security Department set standards for industry to use in the protection of systems that control critical infrastructure. It does establish a formal information sharing regime for threat information between the private sector and DHS, with legal protections related to antitrust.

That different DHS roles between the two bills represents a philosophical divide that may not be bridgeable.

In the House, the PRECISE Act takes a somewhat more controlled approach to regulating the cyber practices of private owners of critical infrastructure. This bill’s main sponsor is California Republican Dan Lungren, chairman of the Subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies. But, like the Senate bill, it places the Homeland Security Department at the center of setting standards and data gathering. Not just DHS, but also other departments that already interact with specific vertical industries.

Now the chairman of the House Committee on Oversight and Government Reform, California Republican Darryl Issa, has come out with a separate bill. Issa’s bill specifically rewrites FISMA, and it puts the Office of Management and Budget at the center of cyber coordination, not DHS, for civilian agency systems.

My reading of these two bills is that they aren’t incompatible, as are the two Senate bills. Lungren deals with the private sector, Issa with the federal government. The Lungren bill would establish a non-profit, quasi-governmental entity called the National Information Security Organization. According to this summary the PRECISE Act’s NISO would tie into DHS’ National Cybersecurity and Communications Integration Center.

But a blending of these two bills would still result in a bill incompatible with either of the Senate bills. So first the Senate has to sort things out within itself, and then the two chambers must reconcile. All of that might still be possible in a normal year, but this is one of the most contentious years in the most contentious time in more than 15 years.

The common desire among all of the Hill actors aims at rewriting FISMA, something most agency cyber practitioners also want. So perhaps Congress can focus on a smaller bill and get that done. Many agencies are already doing more cyber monitoring and reporting already than the current version of FISMA requires. Private sector critical infrastructure may have to go another year or longer without the benefit of Congressional involvement. I recently interviewed one analyst, Jim Harper of the conservative Cato Institute, who argues that there is sufficient self-interest in electrical utilities, banks and other critical infrastructure owners that they get the importance of protecting their own systems.

It may be, a privacy-protected, information-sharing, common operating picture scheme will have to suffice in place of outright regulation.

I’m only a couple of months into my own iPhone phenom, but I’ve downloaded about 25 apps so far. The fun thing about such devices is how far you can personalize them, yet when you hand it to someone at a party they know exactly how to take a picture with it.

I’d noticed that the little “App Store” button on my iPhone kept accumulating numerals in a little red circle. Remember, I’m new here, even though I’ve had smart phones for a decade. Finally my wife explained that those numbers represented how many of my apps had updates available. Big revelation. Several of the apps, free or 99 cents in the first place, improved noticeably after I updated them. No charges for the updates.

Which brings me to the Veterans Affairs Department and its recent decision to, as NextGov put it, “junk” its volume license agreement with Microsoft for desktop products. VA explained its decision in this memo.

Assistant Secretary for Information and Technology Roger Baker states that the current enterprise licensing agreement, called Software Assurance, expires and renewing it would lock VA in for the next five years.

In my opinion, this is a gutsy move for a large organization, and it’s a wake-up call to enterprise software manufacturers.

Keep in mind, no one actually buys software. You buy a license to use it. Software has no corporeal existence. It’s a manifestation of intellectual property. Individuals buy single or small multi-pack licenses, and these are nearly always perpetual, meaning you can use the software forever. Microsoft typically allows individuals to install its software on two processors, as long as only one is operating at a time.

At the enterprise level, software licensing becomes a bit of a negotiating dance between using organizations and the software manufacturer. Manufacturers are entitled to payment for each license, but they recognize that the single user price times the number of enterprise users becomes prohibitively expensive. Hence volume license agreements.

Agreements may be simple volume discounts, or they may entail charges for upgrades and automatic billing for additional licenses, as VA’s deal with Microsoft apparently did. So for an organization like VA, the challenge is to make sure the IT staff doesn’t install any more copies than the  organization has licenses for. Vendors have the right to conduct audits, or have third parties come in and audit. Unpaid-for licenses can result in fines and even criminal charges.

What about upgrades? From the tone of Baker’s memo, it sounds like VA is content with versions it has now of Windows and other applications. Security patches are generally outside of version updates, and so VA has little to gain from continuous upgrades. Besides, Windows 8 is already looming on the horizon.

Most revealing in the memo is the reference to mobility and cloud and the changes to enterprise computing they portend. Baker states, “The market for desktop and server software is changing, with substantial impact from both cloud service providers and personal mobile devices.”

That’s a big wake-up call to the software industry.

A quick primer on software licensing: When subscribing to cloud apps as monthly or yearly services, current market practice has the vendor simply offering the latest version of whatever, but the monthly payment remains constant. And because mobility and cloud apps go hand in hand, and VA has been working towards getting more mobile devices to work securely on its network, Baker is looking down the road to when most users are using cloud-provided apps. Not all users will be mobile. Organizations can cut costs of supporting stationary users by replacing PCs with thin clients.

Getting back to mobile apps, I don’t see enterprise applications or enterprise deployment of individual applications getting to the iPhone model. But the software industry is likely to face a new strategy that aims for somewhere in between, if VA’s rejection of continuance of the old model is a bellwether. Technically, it’s already happening: Witness Microsoft’s online 365 cloud applications. Dollars and cents form the tougher challenge. Financially, the question is how the enterprise software industry will get its costs in line with models offering a lower-dollar option to large customers.

Who pays for employees’ devices in bring-your-own-device to work setups? BYOD might be the last frontier in the journey from mainframe computing, in which only standardized terminals could even be connected.

For the last couple of years, federal CIOs have recognized the possibilities and perils of this setup. Back when he was federal CIO, Vivek Kundra suggested the model of federal employees buying or receiving (more on that) devices of their choosing, with the federal government providing a monthly stipend or wireless plan.

At the root of all this is that the government, with its vast workforce, is subject to the same winds of “consumerization” of IT as any other organization. Plus if policy pursues telework and mobility, whoever said a standard notebook PC is the only device to comprise a workable solution.

CIOs have spent a lot of time focusing on security. But that question is largely solved. DOD still has an arduous process for approving devices, but it’s working hard to speed it up. Last year the Army, somewhat humorously, approved a Dell device that ran the Android operating system. But by the time it was approved, Dell had stopped manufacturing it. As Federal News Radio reported, the Defense Department is putting the giddy-up on its process.

Nearly all devices support remote wiping, encryption, and disablement of security question marks like bluetooth and on-board cameras.

The management and implementation of BYOD, however, demands much more comprehensive thinking. In fact, as the current CIO, Steven VanRoekel, develops the comprehensive mobility strategy, BYOD guidelines should be part of it. One good place to start is a comprehensive white paper by InfoWorld’s Galen Gruman. (You must register to be able to download the PDF.)

Among the questions CIOs and agency leadership must resolve:

• Who pays for the device, the agency or the employee?
• If an enterprise application and/or VPN access to agency databases and other resources exist on the device, regardless of who paid for it, can the IT staff wipe it remotely if need be and do employees understand this?
• Does the agency pay for the full data and minutes plan, or offer a monthly stipend?
• If the agency pays, what personal use is acceptable, and what happens when the user reaches the data limit in a given month?
• For that matter, what is the wireless strategy? For example, does the agency negotiate with a single carrier for all users under, say, a Networx contract?
• Not all users are alike; what rules and policies apply to various types of users?
• What happens when an employee leaves, both to the device and to the data that may still be on it?
• How will the agency manage all of the devices - by itself with a mobile device management tool, or using a contractor?

As you can imagine, the possibilities are as varied as agencies and their work requirements. What agencies need to avoid is even trying to craft one-size fits all strategies. Instead, they’ll have to build a menu of options administered on a roles basis by the IT staff.

BYOD upsets the notion, never really fully established, of the Core Desktop Configuration, which was to be the Windows PC image for all of the government. For analysts at, say, the National Nuclear Security Agency, a thoroughly controlled desktop configuration might be a must. Most agencies will see a rise in variation of OSes and configurations they’ll have to support.

And, as we said a couple of issues ago, BYOD policy ultimately must derive from applications. Enterprise applications are subject to re-engineering for small touch screens. E-mail, of course, was what got people into the smartphone business in the first place. Perhaps ironically, the basic productivity applications - word processing, spreadsheets - are the least suited to tablets and smartphones because of their severe keyboard limitations.

Still, the BYOD will change the CIO and agency technical staff functions fundamentally because they won’t have the same kinds of control they had in the past.