FRAMINGHAM (02/27/2004) - There has been no better time to be an IT outsourcer seeking a government contract. According to a study by technology advisor INPUT, the U.S. federal government's spending on outsourcing will almost double in the next five years, from US$8.5 billion to $15.5 billion.
One of the reasons for this growth is a Bush administration initiative to streamline the federal government and improve its technical capabilities. As the federal government's fiscal year 2002 budget was being prepared, the Bush administration crafted a large initiative aimed at ensuring government agencies are using taxpayer-funded budget dollars as effectively as possible. This plan was named the President's Management Agenda (PMA), and evaluates performance across 27 agencies in five governmentwide initiatives:
- Strategic management of human capital
- Expanded electronic government
- Competitive sourcing
- Improved financial performance
- Budget and performance integration.
Under each of the five initiatives, the Office of Management and Budget (OMB) ranks each federal agency's technical capabilities with a stoplight scoring system known as the "scorecard." On a quarterly basis, the scorecard system ranks each major federal agency and cabinet office with a red, yellow or green mark for technical expertise and preparedness for both network and application management.
What's the Score
The scorecard is designed to give a current status rating, graded at the end of each quarter. At the same time, the scorecard rates the progress made from the previous quarter on the five initiatives. In this way, each agency -- and the public -- can determine whether it has made positive or negative progress in its efforts.
A green signal indicates that an agency's strategic plan has met all the success standards, while a yellow signal shows that some, but not all, of the standards have been met. When a red signal is assigned, the agency's strategic plan is showing serious flaws in composition of elements, achievement of results, or more.
Specific to electronic government, green, yellow and red standards are based on certain relevant criteria, including:
- Whether an agency's technical project is based on a strong business case
- Cost and scheduling of project implementation
- The presence -- or lack -- of a security remediation process
- Whether the project participates in E-Gov initiatives, whose goals are to integrate disparate agency operations and governmentwide investments in information technology systems.
Scorecard grades are based on "standards for success," which were developed by the President's Management Council, comprised of chief operating officers of major federal agencies and the cabinet. The Council is focused on helping the government address performance management at the federal level. Others who reviewed the scorecard's standards for success include academics and other government experts, including the National Academy of Public Administration.
Results.gov, a compendium of the data pertaining to the PMA initiative, says there are four major areas in IT where the federal government is failing:
- Agencies often automate existing processes instead of fixing underlying management problems or simplifying business processes to take advantage of new e-business and e-government solutions.
- Multiple departments and agencies buy the same IT items, resulting in duplicative investments rather than integrated efforts across the government.
- On average, only a few federal IT investments have significantly improved mission performance, and many major IT projects do not meet cost, schedule, and performance goals.
- Major IT security gaps exist within and across federal agencies.
Federal government agencies are under enormous time pressure as well to comply with the standards. The OMB scorecard is updated quarterly, and if an agency gets a red mark three quarters in a row, OMB may withhold -- or at the very least question -- an agency's funding. This means that federal agencies must address their IT systems performance now.
Getting to the Green
In order to spend their IT dollars more efficiently and improve their IT performance, many agencies are turning to a selective outsourcing model. Selective outsourcing involves an external service provider to perform select, strategic IT functions. This type of engagement allows government agencies to utilize a vendor from the private sector who can quickly assess the IT operations challenges within an agency.
Recommendations for systems performance improvements can be quickly implemented. A major advantage to this model is that it allows an agency to outsource only critical functions (or only those that are in most need of improvement) while it maintains control of its IT systems and projects. Additionally, most service providers implement their solution within weeks, so the benefits can be realized almost immediately.
While selective outsourcing provides a relatively fast, low-cost solution, the option also delivers enhanced security. In April 2003, Government Computer News published the results of an e-mail survey of its readership designed to better understand the top challenges facing government outsourcing projects. Among responses, security was recognized as a top concern by 52 percent, second only to funding, which registered at 53 percent. Other key challenges included enterprise architecture and implementing e-government initiatives, which both made the list in the low 30 percentiles.
Government security issues are vast. A quick look on the GovernmentSecurity.org website reveals issues as complex as database security, encryption issues, guarding against hacker and denial-of-service attacks, to name just a few. The resources required to address network security -- and get agencies up to higher "scorecard" marks -- can be immense, both from a time and financial perspective.
Selective outsourcing can relieve the time and financial pressures required to solve many of the issues still noted as causing problems for federal government networks. This could be good news, as a report prepared for the House of Representatives' Committee on Government Reform released on December 9, 2003, gives the federal government overall a "D" on their 2003 annual report card. While this mark is up from an "F" in 2002, it represents a huge need for progress in securing the nation's computer networks.
Selective outsourcing can relieve the current pressure to provide government network security, and it can enhance the levels of security maintained over the long term. With the rapid pace of technological change and more functions being automated than ever before, having a service provider tend to this function on behalf of any single government agency or series of agencies is a tremendous benefit. It can, in fact, lead to even higher levels of security than an agency alone was able to provide before the outsourcing program was put in place.
A solid security program for federal government would include the following:
- Proactive Security: A proactive security plan ensures that all systems have up-to-date patches based on industry best practices. The task of monitoring patch updates from all commercial manufacturers can be daunting. Because a large number of patches is released every day, and the number of software systems in place in any federal environment is large, the task of monitoring these systems can be overwhelming if not placed in the hands of a worthy supplier.
Also included on the list of proactive security measures is a routine review of configurations of managed servers and devices to ensure that the configuration does not weaken the security posture of the network. Additionally, it is also imperative to perform routine scans of all systems and networks.
- Subscription Services: Subscription services exist to eliminate the pain of constant 24x7 maintenance of the network. As noted above, due to the large number of systems in place in the federal government and the amount of data that needs to be protected, a subscription service could be designed to handle the management of security devices (e.g., firewalls, IDs, VPNs) and/or management of security applications.
With a subscription service in place, the customer receives the benefit of off-site redundancy, predictable operating costs, scalable solutions depending on need, rapid implementation of service and minimal capital investment. Because funding also ranks high on the list of outsourcing concerns, the ability to avoid large initial investments in capital equipment and upgrades could assist government agencies across the board deliver superior service while bringing down operational costs significantly.
- Professional Services: With a contract for selective outsourced services also comes critical value-added services. Not only does outsourcing bring broad technical and implementation knowledge, but it also delivers access to specialists in application security. The federal agency is relieved of the need to hire staff with specific knowledge at high cost, but can rather look to one company to provide a broader range of knowledge than an individual could.
In addition, the outsourcer can provide high-level risk, vulnerability and disaster recovery assessments. As an added service, the outsourcer can work to develop appropriate security policies for the federal agency that will ensure secure networks into the future.
Some additional "must-haves" include the ability to monitor a network with a holistic view. Traditional security monitoring is very focused on the perimeter of a network, including firewalls, IDs and more. However, the target of most attacks is farther in toward the application level. The use of predictive monitoring devices can help a government agency detect patterns that do not match those seen before and prevent, for example, a denial of service attack. There are valuable methods that can be used to relate many different events together to form a true incident with a specific pattern that can be related to an attack.
A final item worth highlighting is the need to truly focus on the application layer, with the added ability to reach down to the network. Traditionally, outsourcers focus on the network and attempt to reach up into the application layer. However, this process makes it extremely difficult to truly identify attacks, which in nearly all cases are launched against the application. The ability to protect the application layer provides an enhanced level of security across the network.
The federal government has implemented the scorecard approach to enhance the management of its networks and applications and their cost-effectiveness. While scorecard systems may not be active in every organization -- public or private -- CIOs still need to seek out the most effective way to run efficient, secure networks. With an eye to network efficiency and security, selective outsourcing is a model that provides high levels of both.
Peter Weber is the CEO of SevenSpace Inc., an IT service provider located in Ashburn, Va., and online at sevenspace.com.