HOT SEAT HOW TO STAY

THE BUSINESS OF FEDERAL TECHNOLOGY
HOW
TO
STAY
OUT
OF
THE
VOLUME 26 NUMBER 18
OCTOBER 30, 2012
HOT SEAT
6 tips for getting
along with Congress
and keeping your
cool at the witness
table
PAGE 20
Supporting All Walks
of Government–
No Matter What Shoes You Fill
On the road to mission success, you can always count on GSA to help you reach your destination. With
GSA’s innovative procurement options, you can get whatever your military or civilian agency needs to step
up and achieve its goals, at the best value for America. For product and service solutions that meet all
government requirements and mandates, including environmental sustainability, turn to GSA.
Visit gsa.gov/atyourservicecmp to learn more.
We Accept GSA SmartPay® 2
Trending
119
federal data centers were
slated to close in Q3 of 2012.
The latest agency progress
reports were due Oct. 26.
GAO: Strategic sourcing is a missed opportunity
Agencies are failing to take full advantage of the chance to save significant
money through strategic sourcing,
according to a new report from the
Government Accountability Office.
In fiscal 2011, the departments of
Defense, Homeland Security, Energy
and Veterans Affairs spent 80 percent
of the government’s total $537 billion
in procurement spending, but fewer
than 5 percent of those dollars were
managed through strategic sourcing.
The four departments reported $1.8
billion in savings from the purchases
that were strategically sourced, a
process in which an agency takes a
broader cross-departmental approach
to purchases. By consolidating individual contracts, agencies can save from
5 percent to 20 percent, GAO found.
For example, DHS saved $324 million
through strategic sourcing in fiscal
2011 and earned praise last year from
the Office of Management and Budget.
FCW CALENDAR
10/30 Big data
This webcast will announce
winners of the 2012 Government Big
Data Solutions Award and highlight
tips for mission-focused big data
deployments. Cloudera Webcast Series.
is.gd/wemomo
11/2-9 Innovation and social media
The weeklong festival for
designers, developers, entrepreneurs and
social innovators of all kinds includes
100-plus events around Washington.
DCWeek 2012. is.gd/alajoq
11/7 Secure information sharing
Gen. Keith Alexander, commander
of U.S. Cyber Command and NSA
director, will keynote this conference on
the security challenges that come with
But overall, strategic-sourcing savings equaled less than 0.5 percent of
total procurement spending.
GAO compared the four departments’ data to those of leading pri-
Federal procurement
spending in fiscal 2011
$537 billion total
$25.8 billion through strategic
sourcing (5 percent of overall
spending)
$1.8 billion in savings through
strategic sourcing (0.34 percent
of overall spending)
Source: GAO
vate-sector companies. The private
firms strategically manage about 90
percent of their procurements and
save roughly 10 percent or more. One
unnamed company with $55 billion in
improved information sharing. Symantec
Government Symposium, Washington, D.C.
is.gd/lafafo
11/8 Election impacts
Two days after the 2012 elections, a
panel of journalists, including FCW Executive
Editor Troy K. Schneider, will assess the
outcome’s implications for government/
business relations and longer-term technology
trends. NVTC Business to Government
Committee Event, McLean, Va. is.gd/qaraze
11/13 Digital government
Harvard’s John Palfrey will
discuss the promise and perils of highly
interconnected systems at this daylong
conference on deploying Web-based
applications, produced by FCW parent
company 1105 Media. Akamai Government
Forum, Washington, D.C. is.gd/icegid
annual spending focused on reducing
expenses related to services so that it
could cut operating costs by 10 percent to 15 percent. GAO auditors said
a similar savings rate would yield the
federal government as much as $50 billion annually.
GAO said the secret is to use strategic sourcing for services, which is the
biggest area of spending for agencies.
However, federal officials told GAO
that requirements for services are difficult to standardize and it is easier to
show results when they use strategic
sourcing for commodities.
GAO’s recommendations include
having Joe Jordan, administrator of the
Office of Federal Procurement Policy,
tell agencies to track the savings generated from strategic sourcing and use
the Federal Strategic Sourcing Initiative to identify products and services
governmentwide that would be well
Continued on Page 8
11/14 Interagency collaboration
GSA CIO Casey Coleman and
OMB Deputy CIO Lisa Schlosser are
slated to speak on the importance of
dialogue across federal departments.
AFFIRM Monthly Speaker Series,
Washington, D.C. is.gd/onuqun
11/15 BYOD
The role of bring-your-owndevice policies in fulfilling the Digital
Government Strategy, federal case
studies and pilot programs across
government, and the management and
cultural challenges that come with
BYOD are among the topics of this
breakfast discussion. AFCEA Bethesda
Monthly Breakfast Series, Bethesda,
Md. is.gd/saluwi
October 30, 2012
FCW.COM
3
Contents 10.30.12
F E AT U R E
insecurity:
14 Cyber
Managing against
the risks
Firewalls and other barriers
can’t begin to guard against
every threat. Today’s
interconnected systems and
mobile workforce demand a
very different approach.
BY BRIAN ROBINSON
COVER STORY
to get along
20 How
with Congress
Testifying before a
congressional committee
doesn’t have to be an ordeal.
These tips can help agency
leaders stay calm and focused
under fire.
BY BOB WOODS
PROFILE
Gen. Mark
24 Maj.
Bowman: Leading
DOD across the
enterprise finish line
IT is playing a key role in
bringing together the military
services to share information,
services, platforms and costs.
Behind the scenes, Maj. Gen.
Mark Bowman is helping to
drive that change.
BY AMBER CORRIN
4
October 30, 2012 FCW.COM
TRENDING
D E PA RT M E N T S
3
PROCUREMENT GAO: Strategic
sourcing is a missed opportunity
5
FCW CALENDAR Where
you need to be next
1 1 C O M M E N TA RY
8
9
Managing risk, cyber and otherwise
Where are the bold ideas for
remaking government?
DEFENSE Air Force expands
cybersecurity mission
BY ALAN BALUTIS
Acquisition workforce under siege
TECHNOLOGY Industry to
agencies: Start small with big data
CYBERSECURITY Data
leaks: An inside job
BY ANNE REED, DAN GORDON AND AL BURMAN
3 keys to boosting
employee satisfaction
BY SAMPRITI GANGULI
28 EXEC TECH
CRITICAL READ A report from
DHS’ Task Force on CyberSkills
1 0 PEOPLE David Shearer
leaves USDA for (ISC)2
EDITOR’S NOTE
Disaster recovery: Should you
trust it to the cloud?
BY ALAN JOCH
31 DRILL DOWN
A 21st-century approach to
democratizing data
SOCIAL MEDIA A new
mayor on Mars
BY CHRISTOPHER J. LYONS AND MARK A. FORMAN
34
BACK STORY
A cyber conundrum
Editor’sNote
CHIE F CONT E NT OF F IC ER
EX EC UTIV E ED ITOR
Anne Armstrong
Troy K. Schneider
P RINT MANAGING E DITOR
ONLINE MANAGING EDITOR
Terri J. Huck
Michael Hardy
SE NIOR WRIT E R
Matthew Weigelt
STAF F WRIT E RS
Amber Corrin, Camille Tuutti
CONT RIBUT ING WRIT ERS
Alan Joch, Brian Robinson
CRE AT IVE DIRE CTOR
Jeff Langkau
ASSISTANT ART DIRE CTOR
Managing risk, cyber
and otherwise
The need for risk management extends
to the budget and agencies’ relationships
with Congress
Dragutin Cvijanovic
SE NIOR WE B DE SIGNERS
Biswarup Bhattacharjee, Martin Peace
SOCIAL ME DIA MANAGING ED ITOR
Heather Kuldell
DIGITAL ME DIA P RODUCT MA NAGER
William Winton
E DITORIAL ASSISTANT
Dana FitzGerald
E DITORIAL INT E RN
Emily L. Cole
P RE SIDE NT
Anne Armstrong
CHIE F OP E RAT ING OF FIC ER
Abraham M. Langer
SE NIOR VICE P RE SIDENT/GROUP PUB LISH ER
Jennifer Weiss
VICE P RE SIDE NT, MARK ETING
Carmel McDonagh
P RE SIDE NT AND CHIE F EX ECUTIV E OFFICER
Neal Vitale
SE NIOR VICE P RE SIDENT A ND C H IEF FINA NCIA L OFFIC ER
Richard Vitale
E XE CUT IVE VICE P RE S ID ENT
Michael J. Valenti
VICE P RE SIDE NT, F INANCE & A D MINISTR ATION
Christopher M. Coates
VICE P RE SIDE NT, INF ORMATION TEC H NOLOGY &
AP P L ICAT ION DE VE LOPMENT
Erik A. Lindgren
VICE P RE SIDE NT, E VE NT OPERATIONS
David F. Myers
CHAIRMAN OF T HE BOA R D
Jeffrey S. Klein
HOW TO REACH THE STAFF
You can reach staff members of 1105 Government Information Group.
A list of staff members can be found online at www.fcw.com.
E-mail: Staff members can be reached by using the naming
convention
of first initial followed by their last name @1105govinfo.com.
Vienna Office (weekdays, 8:30 a.m. – 5:30 p.m. ET)
(703) 876-5100; Fax (703) 876-5126
8609 Westwood Center Drive, Suite 500, Vienna, VA
22182-2215
Corporate Office (weekdays, 8:30 a.m. – 5:30 p.m. PT)
(818) 814-5200; Fax (818) 734-1522
9201 Oakdale Avenue, Suite 101, Chatsworth, CA 91311
FCW (ISSN 0893-052X) is published 21 times a year, two issues
monthly except one issue in Jan, Feb and Dec by 1105 Media,
Inc., 9201 Oakdale Avenue, Ste. 101, Chatsworth, CA 91311.
Periodicals postage paid at Chatsworth, CA 91311-9998, and
at additional mailing offices. Complimentary subscriptions
are sent to qualifying subscribers. Annual subscription rates
payable in U.S. funds for non-qualified subscribers are: U.S.
$125.00, International $165.00. Annual digital subscription rates
payable in U.S. funds for non-qualified subscribers are: U.S.
$125.00, International $125.00. Subscription inquiries, back
issue requests, and address changes: Mail to: FCW, P.O.
Box 2166, Skokie, IL 60076-7866, email FCWmag@1105service.
com or call (866) 293-3194 for U.S. & Canada; (847) 763-9560
for International, fax (847) 763-9564. POSTMASTER: Send
address changes to FCW, P.O. Box 2166, Skokie, IL 60076-7866.
Canada Publications Mail Agreement No: 40612608. Return
Undeliverable Canadian Addresses to Circulation Dept. or XPO
Returns: P.O. Box 201, Richmond Hill, ON L4B 4R5, Canada.
For federal technology executives, risk management is
always a challenge. But as demands multiply and dollars
shrink, there seem to be more risks than ever.
That is certainly true in the case of cybersecurity, where
the days of impenetrable defenses — if they ever truly
existed — are clearly gone for good. (Brian Robinson looks
at some of the choices agencies must make in
the article that begins on Page 14.) But there are
risk management challenges in broader budget
categories as well and in the personnel churn that
inevitably comes after any presidential election,
regardless of who wins the White House.
This fall, that balancing act is even more
difficult because budget politics have intensified
the usual game of political chicken over funding
the government. The continuing resolution pushed
Congress’ most basic responsibility six months into the
new fiscal year. Although agencies are grateful to have at
least six months of funding, the threat of sequestration,
triggered by the supercommittee’s failure to trim the
debt, has injected a new level of uncertainty and risk into
everything federal managers are trying to accomplish.
The continuing resolution provides a scant 0.6 percent
across-the-board increase above fiscal 2012 levels and
precludes new starts or projects. Should Congress fail to
avert sequestration, agencies will face automatic cuts of
some 10 percent come Jan. 2, 2013. Just calculating how
much they actually have to spend could consume a good
part of the next six months for large agencies.
Perhaps the one challenge that is clear and constant
for FCW readers these days is the need to connect with
Congress and make certain the oversight committees know
what is happening. (On Page 20, Bob Woods draws on his
agency experiences to show how and why agencies should
forge strong ties with Congress.) Even if the Hill is not
performing its most basic function, legislators need to be
kept up-to-date on the consequences. It’s the only way for
executives to navigate these difficult times.
— ANNE ARMSTRONG
aarmstrong@fcw.com
October 30, 2012
FCW.COM
5
Sponsored Report
BIG DATA
Why you should care about Big Data
How to handle the
torrent of data
cascading into
government agencies
W
hat do these diverse
projects have in common?
t 'FXFSDPNCBUUSPPQTJO
"GHIBOJTUBOBSFCFJOHJOKVSFEPS
EZJOHGSPNiJNQSPWJTFEFYQMPTJWF
EFWJDFTw*&%T
CFDBVTFUIFMFUIBM
NJOFTBSFCFJOHEJTDPWFSFECFGPSF
UIFZEFUPOBUF
t "QBUUFSONBUDIJOHUPPMJT
CFJOHEFWFMPQFEUPýOETDIPPMT
UIBUQSPWJEFGBLFTUVEFOUWJTBTUP
QPUFOUJBMUFSSPSJTUT
t "OZDJUJ[FODBOHPPOMJOFBOE
JOBGFXDMJDLTTFFIPXIJTUBY
EPMMBSTBSFTQFOUCZBXBSETJ[F
KPCTDSFBUFETUBUVTMPDBUJPOBOE
PUIFSWBSJBCMFT
Big Data becoming vital
to meet agency missions
AGREE
SOMEWHAT
45%
AGREE
STRONGLY
18%
7%
DISAGREE
SOMEWHAT
NEITHER
AGREE NOR
DISAGREE
23%
7%
DISAGREE
STRONGLY
PGSFTQPOEFOUTXIPBHSFFEPSEJTBHSFFEXJUIUIJT
TUBUFNFOU"HFODJFTUIBUBSFVOBCMFUPJNQMFNFOU
BOEVTF#JH%BUBXJMMýOEJUNPSFEJGýDVMUUPNFFU
UIFJSBHFODZTNJTTJPO
4PVSDF(PWFSONFOU*OGPSNBUJPO(SPVQ3FTFBSDI4UVEZ
Other Big Data Research
Report Articles
2. More robust analytical tools needed
3. The data deluge conundrum
4. The Big Data talent hunt
5. Overcoming the Big Data challenges
FULL REPORT ONLINE
Go to fcw.com/bigdataresearch
5IFZSFQSFTFOUUIFEJGGFSFOU
XBZTUIBUMPDBMTUBUFBOEGFEFSBM
BHFODJFTBSFBDDPNQMJTIJOHUIFJS
NJTTJPOTCZMFWFSBHJOHi#JH%BUBw
%JGGFSFOUQFPQMFEFýOF#JH%BUB
JOEJGGFSFOUXBZTCVUJUTUZQJDBMMZ
EFTDSJCFEJOUFSNTPGUIFUISFF7T
1.5IFvolumePGJOGPSNBUJPO
2. 5IFvarietyPGJOGPSNBUJPOBOE
3. 5IFvelocity PGJOGPSNBUJPO
UIFTQFFEBUXIJDIEBUBCFDPNFT
BWBJMBCMFBOEDBOCFBOBMZ[FE
5IFUISFF7TVTVBMMZESJWF
PSHBOJ[BUJPOTUPEFQMPZOFX
UFDIOJRVFTBOEUFDIOPMPHJFTUP
DPQFXJUIUIFTFGBDUPSTXIJDIPGUFO
BSFJODPNQBUJCMFXJUIUIFJSFYJTUJOH
CVTJOFTTJOUFMMJHFODFBOEBOBMZUJDT
JOGSBTUSVDUVSFTi4PNFQFPQMFNJT
UBLFOMZUIJOL#JH%BUBTJNQMZNFBOT
UIFZDBOUBGGPSEUPCBDLVQBMMUIF
EBUBUIFZDVSSFOUMZIBWFwTBZT#PC
(PVSMFZGPSNFS$50PGUIF%FGFOTF
*OUFMMJHFODF"HFODZBOEGPVOEFS
PG$SVDJBM1PJOU--$BUFDIOPMPHZ
SFTFBSDIBOEBEWJTPSZýSNi#VU
XIFOZPVTBZ#JH%BUBUIBUVTVBMMZ
JNQMJFTBOFXXBZPGEPJOHBOBMZTJT
UPNBLFTFOTFPVUPGUIFEBUBw
*OBTVSWFZDPOEVDUFEJO"VHVTU
CZUIF(PWFSONFOU
*OGPSNBUJPO(SPVQQFSDFOUPG
UIFBMNPTUSFTQPOEFOUTBHSFFE
UIBUVOMFTTUIFZVTF#JH%BUBJU
XJMMCFNPSFEJGýDVMUUPNFFUUIFJS
BHFODZTNJTTJPOTFFDIBSU
"TBSFTVMUFWFOJOFDPOPNJDBMMZ
UPVHIUJNFTQFSDFOUPGUIF
SFTQPOEFOUTFYQFDUUPJODSFBTF
UIFJS#JH%BUBCVEHFUTXIJMF
BOPUIFSQFSDFOUQMBOUPNBJOUBJO
UIFJSCVEHFUT
&SJD4XFEFOQSPHSBNEJSFDUPS
GPSFOUFSQSJTFBSDIJUFDUVSFBOE
HPWFSOBODFBUUIF/BUJPOBM
"TTPDJBUJPOPG4UBUF$IJFG*OGPS
NBUJPO0GýDFST/"4$*0
TBZT
TVDITVSWFZýOEJOHTSFþFDU
BHFODJFTHSPXJOHOFFEUPVTF
EBUBUPVOEFSTUBOEUIFGVMMQPSUGP
MJPPGJTTVFTUIBUUIFZBSFGBDJOH
i"TXFHPGPSXBSEUIFDPODFQU
PGJTTVFTNBOBHFNFOUXJMMCFNPSF
BOENPSFDPNQMFYwIFTBZTi5IF
QFSDFOUXIPTBZUIFZOFFE#JH
%BUBUPBDDPNQMJTIUIFJSNJTTJPO
BSFSFDPHOJ[JOHUIBUDPNQMFYJUZ
BOEUIFOFFEUPHBUIFSJOGPSNB
UJPOGSPNBNPSFEJWFSTFTFUPG
TPVSDFT‰WJEFPBVEJPOFXTQB
QFSBSUJDMFTBTXFMMBTUSBEJUJPOBM
USBOTBDUJPOBMEBUB‰UPEFWFMPQ
UIFLOPXMFEHFUPNBLFDSJUJDBM
TUSBUFHJDEFDJTJPOTwt
Brocade is helping federal agencies deliver data
center-class reliability and scalability to the edges
of the network and into the cloud.
Brocade. Unlock the
full potential of the cloud.
Brocade is, quite simply, the leader in cloud-optimized
networking for the federal government. With the largest
breadth of federally certified products, Brocade is
committed to achieving the highest standards of
interoperability and reliability required for all federal
solutions and the Cloud First mandate. Brocade
builds network foundations that ensure federal data
center consolidations enable cutting-edge cloud
services, seamlessly.
When the mission is critical, the network is Brocade.
Learn more at brocade.com/everywhere
© 2012 Brocade Communications Systems, Inc. All Rights Reserved.
Trending
24,500
Continued from Page 3
suited to that procurement approach.
In an e-mail message to FCW, Jordan said the government has made
progress and that President Barack
Obama’s insourcing and acquisition
workforce reforms have included telling agencies to buy smarter through
strategic sourcing.
“As a result, we have seen tremendous progress in leveraging the buying power of the federal government
to deliver better prices for taxpayers and are committed to ramping
up these results moving forward,”
Jordan said.
“Strategic
sourcing has
also been a topic
of tremendous
focus for top
private-sector
leaders on the
President’s ManJoe Jordan
agement Advisory Board,
and we are committed to drawing on
private-sector best practices along with
the many learnings from our agency
experience as we work with agencies
to ramp up efforts this year,” he added.
In response to the report, Rep. Darrell Issa (R-Calif.), chairman of the
Oversight and Government Reform
Committee, said agencies need to step
up their efforts on strategic sourcing.
“The federal government must do better when purchasing commonly used
goods and services — especially information technology — where inefficiency and waste [are] substantial,” he said
in a statement.
Issa’s proposed IT procurement
reform bill would mandate priority
consideration for strategically sourced
goods and services. “As the GAO has
underscored, leading private-sector
companies have successfully used
strategic sourcing since the 1980s and
saved billions of dollars,” Issa said. “It
is time the federal government catches
up.”
8
October 30, 2012
FCW.COM
DHS jobs could be lost to sequestration, according to
Rep. Norm Dicks (D-Wash.), ranking member of the
House Appropriations Committee.
Air Force expands cybersecurity mission
On the same day that Defense Secretary
Leon Panetta was in New York warning of a “cyber Pearl Harbor,” Air Force
officials in Virginia said the service is
making significant progress in both
defensive and offensive cyber capabilities, as well as in understanding what
is happening on its networks.
“We need resiliency in our hardware,
our software and the applications,” Air
Force CIO Lt. Gen. Michael Basla said
at AFCEA’s Air Force IT Day on Oct. 11.
“That resiliency will provide us…with
the ability to fight through an attack.…
We’ve certainly bolstered networks to
provide availability…but we haven’t
paid quite as much attention to developing a consistent, repeatable and reliable way of guaranteeing the integrity
of our information.”
Basla said the service is bringing in
outside help to get a better idea of the
limitations. The Air Force has tapped
Rand, for example, to analyze the
effects of malicious network activities
on command and control systems.
According to Brig. Gen. Burke Wil-
INK TANK
son, deputy commander of Air Forces
Cyber, the service is beefing up both
defense and offense on its networks.
“We’re expanding the mission. Clearly, there is a threat out there,” Wilson
said. “We can’t wait for zero-days to hit;
we have to be able to see across the
network.”
That full-spectrum visibility — a
sense of situational awareness within
and beyond cyberspace — remains
a soft area, particularly because the
domain is newer than the traditional
spheres.
“That is probably one of the highest
priorities of our senior leaders,” Basla
said. “We need to continue to grow that
situational awareness cyber picture, and
then…get the cross-domain picture
between air, space and cyberspace
because you’re going to find tippers
when you look across those domains,
and you’ll derive way more intelligence
value.”
“We’re looking at defense differently.… It’s really a paradigm shift,”
Wilson said.
30,000
computers were rendered useless by the Shamoon virus, which
Defense Secretary Leon Panetta called the most destructive attack
yet on the private sector.
Industry to agencies: Start small with big data
A new report on big data urges federal
agencies to start small but start now
and calls for the creation of a chief data
officer position at each agency and also
governmentwide.
“Demystifying Big Data,” released
Oct. 3 by the TechAmerica Foundation, attempts to define big data and
its value, and offers 10 case studies
to illustrate how big-data
projects can serve critical government missions.
Half of those examples
showcased federal
projects.
Government has been
at the forefront of creating and sharing big
data, said SAP’s Steve
Lucas, global executive
vice president of SAP’s Database and
Technology division and co-chairman
of TechAmerica’s Federal Big Data
Commission. “If you think about what
we take for granted today — population data, weather data...we have the
federal government to thank for it,”
he said. And now, with agencies shar-
ing thousands of datasets and the cost
of storage and analysis plummeting,
“you’ve got almost a perfect convergence [for putting the data to use]. It
is not a research experiment. This is
something anyone can tackle today.”
The report urges agencies to identify
two to four key business or mission
requirements that big data can address
and craft projects to meet
those needs instead of
attempting to implement
a comprehensive big data
strategy.
Regarding the report’s
call for yet another C-level
role at agencies, Lucas said
big data warrants a dedicated champion, and CIOs
and chief technology officers often don’t have the time or the
appropriate focus for big data projects.
“The reality is, if you’re a CIO and
you’re really delivering information to
your business...then maybe you get a
pass,” he said. “But we’ve [too often]
moved from a focus on the information
to just the technology.”
CRITICAL READ
WHAT: A report from the
Department of Homeland Security’s
Task Force on CyberSkills that
outlines 11 recommendations for
improving DHS’ recruitment and
retention of cybersecurity talent.
WHY: DHS formed the task force
to address the rising threat of
cyberattacks against defense and
civilian agencies. The task force’s
recommendations are divided
among five objectives, including
how to make working for DHS
more desirable than working in the
private sector or at other agencies.
According to the authors, the
report’s recommendations will
help fulfill DHS Secretary Janet
Napolitano’s goal of ensuring that
Data leaks: An inside job
federal agencies and the private
sector “will have the technical
Despite all the buzz about cyber war these days, a
recent MeriTalk survey of federal information security
professionals found that unauthorized data is slipping
past agency defenses mainly via e-mail. Some cases may
reflect sinister intentions, but careless employees seem to
be a more significant risk for agencies.
cybersecurity workforce needed to
meet their mission responsibilities.”
VERBATIM: “Recommendation
5: Make the hiring process
smooth and supportive
and make mission-critical
How unauthorized data leaves federal agencies
STANDARD WORK E-MAIL
AGENCY-ISSUED MOBILE DEVICES
USB FLASH DRIVES
PERSONAL E-MAIL
PERSONAL MOBILE DEVICES
WEB-BASED WORK E-MAIL
cybersecurity jobs for the
48%
47%
40%
38%
33%
23%
federal civilian workforce
enticing in every dimension:
in mission and service, skills,
growth potential, and ‘total
value proposition.’”
FULL REPORT: DHS.gov
October 30, 2012
FCW.COM
9
Trending
David Shearer leaves USDA for (ISC)2
SPECIAL REPORT
Cloud Services
David Shearer, associate CIO for International Technology
Services at the Agriculture Department, has left USDA for
the nonprofit organization (ISC)2.
Shearer, whose 26-year career in public service also
included positions at the Coast
Guard and Interior Department, left
USDA Oct. 19 and started as chief
operating officer Oct. 29 at (ISC)2,
a global organization focused on
educating and certifying information
security professionals throughout
their careers.
Clinton Swett, technical support
director at USDA’s ITS, will take over Shearer’s position in
an acting role until officials make a permanent selection,
Shearer told FCW. At press time, USDA officials had not
commented on his departure.
TO LEARN MORE, VISIT
FCW.com/CloudServices
TOPICS INCLUDE
4 cloud trends you need to know about
Don’t believe the hype
4 crucial cloud migration strategies
Addressing compliance issues in the cloud
IaaS: The benefits and limitations
A new mayor on Mars
SPONSORED BY CSC
SCAN THIS QR CODE
with your smartphone
for the full research report.
10
October 30, 2012
FCW.COM
NASA’s Curiosity rover is no stranger to social media. The
@MarsCuriosity Twitter account dates back to 2008. On
Oct. 3, however, the car-sized, six-wheeled robot generated new interplanetary buzz by checking in at Gale Crater
on Foursquare.
The check-ins and tips (“Mars is cold, dry and rocky.
Extra moisturizer and sturdy shoes would be a good idea,
plus oxygen for those of you who breathe.”) have garnered
nearly 25,000 likes for Curiosity on the location-focused
social network.
Not everyone is impressed, however. Wired, for example,
noted that NASA has already checked in “in space” and
asked: “Shouldn’t planet-hopping robots and scientific agencies have better things to do with their time?”
Commentary | A L A N
BALUTIS
ALAN BALUTIS is senior director and
distinguished fellow at Cisco Systems’
Internet Business Solutions Group.
Where are the bold ideas for remaking government?
The nation faces a wide range of formidable challenges, but ideas for tackling them seem
to be in painfully short supply
Four years ago, I guided an 18-month
initiative to develop a management
agenda for the then-incoming 44th
president of the United States. That
initiative involved:
• A year-long seminar series to
tap into the collective wisdom of
experts with proven knowledge of
how to handle the challenges of
management in government.
• A partnership with The Public
Manager and other journals to
publicize and distribute findings
and insights from the seminar
discussions and individual experts.
• Close collaboration with other
organizations, associations,
universities, nonprofit groups,
think tanks, and so on to jointly
support innovative ideas to improve
government and the delivery of
services to the public.
• A website (NewIdeasfor
Government.org) to which
individuals from within and
outside government were invited
to submit new ideas to improve the
management of government.
This year, I am involved with several good government and academic
associations that are similarly gathering ideas and initiatives to present to
the new administration and Congress
after the election in November. At a
recent meeting here in Washington,
D.C., several colleagues laid out their
proposed report, which focused on
the human resources arena. It was a
nicely framed, well-researched and
eminently reasonable report. But
the audience’s reaction left me both
surprised and chastened.
We all know that our nation is
facing challenging times. The lame
duck Congress that will reconvene
in November must keep the country
from going over a fiscal cliff. Lawmakers must deal with the threat of
sequestration, the expiration of the
Bush-era tax cuts, a budget for fiscal
2013 to extend the existing six-month
continuing resolution, and an extension of the federal debt limitations.
At our current pace, by 2080 the total
We hear again and
again that government
needs to change,
that it needs to be
better managed, that
it needs to be flatter,
more connected, less
hierarchical. So why is
our reform cupboard
so bare?
cost of government will be more
than three times the revenue.
And there are other challenges:
the continuing war on terrorism,
increasing economic competition
from emerging world powers such
as China and India, rising energy
costs, environmental concerns, and
unknown new problems and threats.
We hear again and again that govern-
ment needs to change, that it needs
to be better managed, that it needs
to be flatter, more connected, less
hierarchical. In other words, we need
a 21st-century government.
That’s what our audience of fellows at the National Academy of
Public Administration told us at our
recent meeting. We are at a government management watershed, they
said, and are hungry for initiatives
that will remake the federal bureaucracy. So where are the big, bold
ideas to do so, they asked? The
words of Donald Kettl, dean of the
University of Maryland’s School of
Public Policy, rang in my mind. In the
opening article from our 2008 forum
on the need for a new management
agenda, Kettl argued: “Never has
American history seen a time when
management has been more important but the stock of ideas has been
so low.”
If we are at a watershed in modern government, where is the torrent
of initiatives that will remake our
bureaucracy? Where are the thinkers who will banish our 1950s-era
federal processes and structures and
remake Washington, D.C.? And why
do our career and political leaders
— intelligent, thoughtful men and
women who have been educated at
America’s finest institutions — seem
so painfully and embarrassingly short
of new ideas?
I need to think more about this
myself. Why is our government management reform cupboard so bare?
What do you think? E-mail me at
abalutis@cisco.com. ■
October 30, 2012
FCW.COM
11
of Anne Reed Consulting and former CIO at the U.S. Department of Agriculture.
is associate dean
Commentary | for governmentis founder
procurement law studies at George Washington University Law School and former administrator of the Office of Federal
ANNE REED
DAN GORDON
| Procurement Policy. AL BURMAN is chairman of the Procurement Round Table, president of Jefferson Solutions and former administrator of OFPP.
Acquisition workforce under siege
Agencies have made progress in hiring talented acquisition professionals, but
unreasonable scrutiny from all sides is encouraging risk avoidance and stifling innovation
What is the current status of the
federal acquisition workforce?
Have the actions taken over the
past four years helped to address
the pressures caused by insufficient
personnel and an increased
workload? What are the current
stress points?
To explore these and other
questions, the Procurement Round
Table, a nonprofit organization of
former senior leaders in federal
acquisition, recently convened an
informal discussion with a number
of current executives from multiple
federal agencies. This is the first
in a series of columns in which we
summarize some of the key points
from that discussion.
The conversation was spirited,
and there were some rays of hope,
particularly the hiring of additional
contracting specialists. One
participant welcomed the increase
in the acquisition workforce. And it’s
not just numbers. Another executive
said, “The government has hired
more super competent people as
interns in the last three years than it
has in the prior 20 years.”
Still, much of the news was
disheartening. Many participants
said the current challenges are
not related to workload, which
suggests that recent efforts to
increase the workforce are making
a positive difference. Rather, the
biggest concern was the toxic work
environment and the fear that it will
drive talented new employees away.
One executive talked about how
poorly interns are supervised, saying
12
October 30, 2012
FCW.COM
they complain that they “are not
allowed to use their brains, to use
what they have been taught.”
But the problems go far beyond
internships. Seasoned professionals
feel as though they are under
siege. As one participant put it,
“Acquisition people cannot make
decisions and are frustrated at
having to send their work through
so many layers of review. Warranted
contracting officers cannot get the
simplest tasks done and are not
allowed to make simple decisions.”
Warranted contracting
officers cannot get the
simplest tasks done
and are not allowed to
make simple decisions.
According to participants,
oversight bodies are contributing
to the poisoned work environment.
One person said the Government
Accountability Office and inspector
general “have been very aggressive.
The GAO and the IG go to the Hill if
agencies do not follow them exactly.
It is a very confrontational time right
now.” Another said, “In its reports,
the [Defense Department] IG makes
comments like ‘We need to hold the
contracting officer accountable.’
These contracting officers are
getting named and sometimes
have to come in and testify. Rarely
has contracting been held to this
standard, held accountable in
ways that it should not be.” It was
discouraging to hear the lesson one
person drew from the experience:
“Nothing happens to you if you do
nothing.”
We are succeeding in recruiting
and training talented people
to tackle complex acquisition
challenges, but we are then putting
them in an environment that drives
them toward risk avoidance and
a focus on mere compliance.
One senior official said, “We tell
contracting officers to use their
brains, but also that if they make a
mistake, they are toast.” Another
participant expressed the view
that “it used to be a different
environment, one [that cut down on]
regulation. Now the environment is
risk-averse, and everyone is afraid of
being reported to the IG.”
Creating a stimulating and
rewarding work environment for
talented professionals is the key
to strengthening the government’s
acquisition practices and ensuring
that it achieves the outcomes
desired for a reasonable cost. After
our discussion, we believe we need
to raise awareness about the need
to find a better balance between
oversight — as important and
necessary as it is — and promoting
the freedom to use good judgment.
That flexibility is essential for
professionals to thrive and find
creative solutions to complex
challenges. ■
Commentary | S A M P R I T I
GANGULI
SAMPRITI GANGULI is managing
director of the Corporate Executive
Board’s government practice.
3 keys to boosting employee satisfaction
The Corporate Executive Board pinpointed areas that have the biggest impact on an
agency’s rank in the Best Places to Work index
Government executives will soon
be receiving their agencies’ results
from the latest Federal Employee
Viewpoint (FedView) Survey. Those
results will not only inform agencies’
2013 priorities, but will also serve as
the basis for the much-anticipated
2012 index of the Best Places to
Work in the Federal Government.
An agency’s placement on this
ranking can have a big impact on
employee engagement and candidate attraction. Strong or improving
scores can bolster an agency’s brand
and reputation and serve as a badge
of honor for all employees. Declining scores can confirm employee
suspicions of worsening conditions
and encourage top talent to explore
job opportunities elsewhere.
The Partnership for Public Service derives the index from the
answers to three FedView Survey
questions that indicate employees’
satisfaction with their jobs, their
organizations and their agencies’
advocacy. Although those questions
are informative indicators, they are
not very suggestive of what agencies
can do to improve in those areas.
The Corporate Executive Board
(CEB) used regression analysis of
the 2011 FedView Survey results to
uncover which workplace attributes
have the greatest impact on agency
rankings. We found that three characteristics had a disproportionate
effect.
1. Recognizing work unit and
agency successes. Perceptions
of agency mission success and
the quality of work completed by
an individual’s work unit had the
strongest impact on employee
satisfaction. Low scores on those
questions do not necessarily
mean that agencies are not
meeting their goals, as there is a
wide communication gap across
government that can limit employee
awareness of local or enterprise
success. FedView results indicate
that half of employees are not
satisfied with the information
they receive from management
about activity within their
Strong or improving
scores can bolster an
agency’s brand and
reputation and serve
as a badge of honor
for all employees.
organizations, while a third do not
agree that managers evaluate the
organization’s progress toward
meeting its goals.
Managers and leaders must recognize and share the successes of
their teams and those taking place
across the agency. Highlighting
achievements can pay big dividends
in employee morale.
2. Soliciting upward feedback.
Employee involvement in the
decisions that affect their work
represents another top driver
of agency rankings. Involving
employees in decision-making does
not mean catering to their every
wish, but it does entail proactively
asking for employees’ opinions
and valuing their perspectives.
Given that some staff are reluctant
to share their thoughts, tapping
into a direct report’s insights
might require proactive probing.
Equally important is a manager’s
receptivity to employee feedback.
In the FedView Survey, one in four
employees did not agree that their
managers listen to what they have
to say.
Although soliciting employee
feedback can lengthen the decisionmaking process, the benefits —
becoming aware of potential risks
and increasing employee engagement — can more than make up for
the extra time spent.
3. Reinforcing workplace
inclusion. A manager’s ability
to work well with employees of
different backgrounds represents
another top driver of employee
satisfaction. Although agencies
have traditionally focused diversity
efforts on getting diverse talent
through the door, CEB research
shows that workplace inclusion
actually has a greater impact
on employee engagement and
satisfaction than workforce
diversity alone.
By providing supervisors and hiring managers with simple workflow
tools, agencies can improve workplace inclusion without incurring
heavy costs. ■
October 30, 2012
FCW.COM
13
CY BER INSECURIT Y
Managing
against
the risks
Firewalls and other barriers can’t begin to guard against every
threat. Today’s interconnected systems and mobile workforce
demand a very different approach.
Architecture descr
• Architecture referenc
• Segment and solution a
• Mission and business
• Information system b
STEP 6
MONITO
security con
BY B R I A N R O B I N S O N
R
isk management has been part of
IT security from Day One, but has
often taken a backseat to aggressive zero-tolerance policies that sought
to raise impenetrable barriers to security
threats. Now we know better.
An explosion in the volume and sophistication of malware in the past few years
has overwhelmed barrier technologies
such as firewalls and intrusion-detection
systems, and the bogglingly fast spread of
powerful mobile devices such as tablet
PCs and smart phones has provided the
black hats with a wealth of different ways
to break into networks.
“Three decades ago, a mainframe
would have been a big investment for an
organization, but IT has become a commodity today and we use those technologies very aggressively,” said Ron Ross, a
fellow at the National Institute of Standards and Technology and the leader
of NIST’s Federal Information Security
Management Act (FISMA) Implementa14
October 30, 2012
FCW.COM
tion Project. “The trend now is also to
connect everything to everything. Couple that with the exponential growth in
malware, and that’s why people are so
concerned.”
In contrast to the castle-and-moat
approach to security, risk management
sets acceptable levels of risk for an organization, and then controls and seeks to
mitigate those risks. That way — or so the
theory goes — the most mission-critical
systems can be protected and the organization will still be able to function even
if cyberattacks succeed in penetrating
periphery defenses.
Theory is one thing and implementation another, however. Although the
concept of risk management is now
well understood in agency IT and security departments, it is not yet a widely
practiced discipline. Agencies such as the
National Security Agency and the State,
Commerce and Defense departments
are acknowledged leaders in risk man-
STEP 5
AUTHORIZE
information sys
escription
rence models
on architectures
ess processes
m boundaries
Organizational inputs
• Laws, directives, policy guidance
• Strategic goals and objectives
• Priorities and resource availability
• Supply chain considerations
STEP 1
CATEGORIZE
information system
EP 6
STEP 2
NITOR
controls
SELECT
security controls
RISK
MANAGEMENT
FRAMEWORK
PROCESS OVERVIEW
5
STEP 3
RIZE
system
IMPLEMENT
security controls
STEP 4
ASSESS
security controls
Source: National Institute of Standards and Technology
October 30, 2012
FCW.COM
15
RISK MANAGEMENT
agement, but overall, the government
is behind the curve.
A recent Ponemon Institute study
of risk-based security management in
the United States, which included input
from government organizations, noted
that more than three-quarters of respondents had a significant commitment to
RBSM, but less than half actually have a
program in place. A third of respondents
have no RBSM strategy.
“Lots of organizations want to do
RBSM, and they realize the importance
of it,” said Larry Ponemon, the institute’s
chairman. “But there’s either resistance
internally from people who are reluctant
to move out of their comfort zones, or
they just don’t have the right resources
to make it happen systematically. What
you often end up with is a kind of a
hodgepodge approach to it.”
Chris Kennedy, principal security
architect and senior program manager at Northrop Grumman Information Systems’ Civil Systems Division,
said he believes most federal agencies
understand what risk management is,
but “it’s just one of those things that’s
really tough to operationalize.”
“The challenge is that IT has been
traditionally managed in agencies as a
mission enabler, and there hasn’t been
the level of cross-pollination between
the mission owner and IT system operators to manage risk appropriately,” he
said. “Someone needs to work the priority of the mission to establish the
appropriate risk management framework around the systems.”
The first step in developing a risk
management program is to get everyone to agree on what the risks are,
which is more complicated than it
sounds. In the older approach to security, the risks were associated with the
network and attached systems, and
identifying them was the responsibility of the IT department.
With enterprise risk management,
many communities own the business
processes that are at risk, and with
the rise of cloud computing, they will
TIERED RISK
MANAGEMENT
APPROACH
• Multi-tier organizationwide risk management
• Implemented by the risk executive (function)
increasingly have responsibility for the
IT services that are delivered. However,
each of them might have very different
ideas of what the risks are and how to
define them.
“If you want to develop a cohesive
risk management strategy, you have to
develop a centralized risk register that
everyone can refer to, and that means
also having a common nomenclature
for risk,” said Torsten George, vice
president of worldwide marketing and
products at Agiliance, a company that
provides risk management solutions.
“If you try to do that later, then the
accuracy of the data that comes back
to you will vary, and the trend data
that helps you predict your security
needs going forward will be impacted,”
George added.
NIST’s Ross described this as a need
for a second front in government to integrate cybersecurity and risk management processes into the mainstream.
“I do think the understanding for all
of this is there, but the systemic prob-
STRATEGIC RISK
TIER 1
ORGANIZATION
Governance
• Tightly coupled to enterprise architecture
and information security architecture
• System development life cycle focus
• Disciplined and structured process
• Flexible and agile implementation
TIER 2
MISSION / BUSINESS PROCESS
Information and information flows
TIER 3
INFORMATION SYSTEM
Environment of operation
TACTICAL RISK
Source: National Institute of Standards and Technology
16
October 30, 2012
FCW.COM
SPECIAL REPORT
lems are also there and need attending to,” he said.
Likewise, it is vital early on to create a governance
process for making decisions about which risks will be
targeted and what steps will be taken to mitigate them.
That process will need to cover the entire enterprise.
Once it has been decided that there is a risk in a particular organizational unit with an operational mission
responsibility, the governance process will require the
professional who can assess that risk to characterize it
and describe it to the operational manager, said Lee Holcomb, vice president of strategic initiatives and cyber
operations at Lockheed Martin Information Systems
and Global Solutions.
“That manager needs to be able to say he will invest
the money to fix that risk and put in a process to mitigate
it, or that he will flat out accept the risk and not invest in
mitigation,” said Holcomb, whose federal career includes
serving as CIO at NASA and chief technology officer at
the Department of Homeland Security. “That discussion
is a central one that absolutely needs to take place.”
He added that one of the current challenges in the
cybersecurity area — and it relates directly to the assessment of risk — is the need for people to be able to say
what an additional dollar of investment buys in terms
of security. “There are probably a significant number of
agencies that don’t have a rich discussion of that through
a governance process,” he said.
Leadership commitment is also essential for implementing an effective risk management program, said
Henry Sienkiewicz, vice chief information assurance
executive at the Defense Information Systems Agency.
Furthermore, the governance process is vital to ensure
ongoing collaboration and synchronization of the efforts
of the multiple groups and teams that will be involved.
Sienkiewicz said key areas include “identifying roles
and responsibilities across the organization, methods
for de-confliction of issues, means of communication
with stakeholders, sharing of information and ensuring
leadership acceptance of risks.”
Assessing the risks that must be managed is typically more of an art than a science. NIST recently
published the final version of its risk assessment guidelines, Special Publication 800-30, which covers what
it sees as the four elements of a classic risk assessment: threats, vulnerabilities, impact to missions and
business operations, and the likelihood of a threat
exploiting vulnerabilities in information systems and
their physical environment to cause harm.
The document provides a common lexicon regarding risk factors that influence the method of assessing
and ultimately managing risks, Sienkiewicz said. But
he added that the methods for assessing risk are more
Modernizing
the Network
TO LEARN MORE, VISIT
FCW.com/ModernNetwork
TOPICS INCLUDE
Wireless networks: Getting ahead
of the demand
Bandwidth hogs: What’s on
your network?
Under attack: Network security trends
The cloud: An extension of your network
Future pipes: 4 networking
technologies for the future
Sponsored by General Dynamics
Information Technology
SCAN THIS
QR CODE
with your smartphone
for the full research report.
October 30, 2012
FCW.COM
17
RISK MANAGEMENT
descriptive than prescriptive and leave
it to the organization to determine the
most suitable approach for itself, taking into account factors such as system
use and mission requirements.
Agencies will have to make it up on
their own to some extent and choose
standards for risk assessments that they
will be able to carry forward, said Tim
Erlin, director of IT security and risk
strategy at nCircle, a company that
specializes in risk and security performance management.
“There also isn’t a consistent methodology for assessing multidimensional
risks or the combination of risk and
environment that might be dependent
on each other,” he said. “While the
NIST guidance is very comprehensive, it doesn’t seem to provide a lot of
guidance on how to chain these things
together.”
One constant in any government program, of course, is cost. Given the budget constraints agencies face today and
will have to operate under for the foreseeable future, any sizable new investment will be closely scrutinized. Risk
management will involve some upfront
costs in terms of process and tools, such
as new automation technologies, but it
could result in savings down the road.
In researching the costs of risk
management, the Ponemon Institute
has come up with a range that covers
short-term costs such as extra people
and new technology, indirect costs,
and what it calls opportunity costs,
the potential for damage to agency
missions through data loss and a consequent drop in user trust if security is
not done right, for example.
“The reality is that the short-term
costs probably do go up pretty substantially if you do it right,” Ponemon
said. “But over time, we would expect
to see a reduction, especially in indirect
and opportunity costs.” ■
A RISK MANAGEMENT READING LIST
The Federal Information Security
Management Act of 2002 and the
newer Federal Risk and Authorization Management Program provide
detailed requirements regarding what
agencies need to consider when
assessing and managing security
risks. The National Institute of Standards and Technology takes those
requirements into account in developing its guidelines for agencies.
FISMA sets various standards and
guidance for agencies to use when
assessing risks and establishing
security controls, and agencies must
comply with them annually. However,
the law does not yet tell agencies
that they must improve security, only
that they must show that they have a
process in place that will enable them
to do so.
However, FISMA is credited with
providing a good foundation for risk
management in the federal government. Its requirement for continuous
monitoring of security risks and controls is considered a fundamental shift
in risk management because it moves
reporting from periodic snapshots to a
real-time process.
NIST has a portfolio of documents
18
October 30, 2012
FCW.COM
that provide detailed guidance on risk
management, including:
• SP 800-30 — Risk Management
Guide for IT Systems
• SP 800-37 — Guide for Applying
the Risk Management Framework
to Federal Information Systems: A
Security Life Cycle Approach
• SP 800-39 — Managing Information Security Risk: Organization,
Mission and Information System View
• SP 800-53 — Recommended
Security Controls for Federal Information Systems and
Organizations
• SP 800-53A — Guide for
Assessing the Security Controls in Federal Information
Systems and Organizations:
Building Effective Security
Assessment Plans
The big new idea in the latest
set of documents is that agencies should look at risk management as an enterprisewide
process and not something to be
performed at the system level,
said Ron Ross, a NIST fellow and
leader of the agency’s FISMA
Implementation Project.
“It applies to all three tiers in
an organization — from where the
assessment is done at the highest
level, where the risk management
strategy is produced [and] is pushed
down through Tier 2, where assessments have an impact on mission and
business operations, to the system
security design at Tier 3,” he said.
— Brian Robinson
SPONSORED CONTENT
SmartSolutions
> news, ideas & trends in brief
Managed Products and Services
Help Agencies Secure Their Networks
IT leaders are facing a raft of unfunded federal mandates
designed to help secure their IT infrastructure. CenturyLink
provides services and support, including MTIPS as a managed security service, that can help them comply with and
even exceed the requirements in those federal mandates.
September ushered in a series of distributed denial-of-service (DDoS) website
attacks against several major U.S. financial institutions. Recent events, in addition to real and increasing threats from both internal and external hackers,
underscore the fact that organizations must take cybersecurity very seriously.
Several technologies have been designed to protect government institutions
and organizations from cyberattacks. Among the approved programs is the
Trusted Internet Connection (TIC) initiative, which requires that agencies reduce
their number of Internet connections. This can be accomplished via Managed
Trusted Internet Protocol Services (MTIPS) under the Networx contract.
Additionally, Internet Protocol version 6 (IPv6) migration provides additional IP
addresses and better security for devices connected to the Internet.
However, few agencies comply with either mandate. For example, only
11 percent of federal agencies had operational support for IPv6 websites at
the end of September, according to the National Institute of Standards and
Technology. Cost is definitely an issue, as these technologies require new
equipment and employee training. Managed services from companies like
CenturyLink, however, can help reduce an agency’s capital outlay and the
need for new IT staff while increasing overall network security.
A Simpler Transition
CenturyLink provides agencies with a private transport infrastructure to
direct traffic from the agency’s location to a secure MTIPS gateway hosted
in one of CenturyLink’s industry-leading, next-generation data centers.
CenturyLink is one of the first providers to enable IPv6 on its MTIPS platform, which enables Domain Name System Security Extensions (DNSSEC)
capabilities. However, this is not the only thing that separates CenturyLink
from its competitors. CenturyLink also differentiates itself with its network
and MTIPs service design, which features quadruple redundancy and a
resiliency that helps customers derive immediate benefits from migration.
CenturyLink can also help agencies design their migration strategy using
a best practices template. Once the design is created, the company provides
program management support so that there is minimal (if any) downtime.
Existing IPS customers can be upgraded to the enhanced managed security
services features of MTIPS, and they have the ability to customize and
reconfigure that service dynamically. New MTIPS customers can also customize and reconfigure their offerings on a rolling basis.
This provides the benefit of not needing to know from “day one” how
their network should be designed or configured. In other words, the net-
work can evolve as the agency’s needs
evolve. As customers become comfortable with the MTIPS product, agencies
can modify it based on their needs by
using a customized interface portal. An
added benefit is that by acquiring this
cloud-based service, organizations will
also fulfill the Cloud-First initiative,
since they will only pay for the services
they use.
MTIPS is only one product offering in
CenturyLink’s expansive security suite.
Even those agencies that have implemented a Trusted Internet Connection
internally can take advantage of other
managed services to lighten their IT security load, including cloud-based managed
firewall services, data backup and co-location. Other CenturyLink security offerings
include DDoS mitigation, cyberthreat
analysis, professional security services
consulting, threat intelligence and analysis
services, infrastructure protection services,
and security application development.
When combined, these services can
provide safeguards by making sure that
all incoming traffic, including traffic from
cloud services, has been scrubbed so that
the agency’s network is protected and
by making sure that all outgoing traffic
remains on a private network, thus enhancing the agency’s safety and security. r
For more information about CenturyLink
Government’s services and
offerings, please contact your agency’s
representative or email us at
CTLfederal.federal@centurylink.com.
For more information on CenturyLink,
please go to:
CenturyLink.com/federal
Feature Story
xx
How to get along
with Congress
Testifying before a congressional committee doesn’t have to be an ordeal.
These tips can help agency leaders stay calm and focused under fire.
BY B O B W O O D S
20
October 30, 2012
FCW.COM
spent at the Navy and FAA, and back
then, dealing with Congress was something discussed over beers with friends
and colleagues. But as often happens,
times change when you enter the senior
and executive ranks. As responsibilities and visibilities increase, so does
the likelihood of interacting with congressional staff members, lawmakers
and other Capitol Hill power players.
It is important to recognize that, when
it comes to Congress, different rules
apply and a little preparation goes a
long way.
Tip 1: Assess your visibility
In the simplest terms, Congress legislates and the executive branch executes, and then Congress oversees
that execution. That simple division
of duties is not simple in its operation,
however. For instance, a presidential
administration might set policies in a
way that legislators see as infringing
on their role, and Congress can take
oversight to the level of micromanagement. Pure politics can create those
fault lines, but our system is designed
G ET T Y I M AG E S
W
hen many of us came to
Washington, we had our
ideas about how government works — or at least how it
should. Because where you stand usually depends on where you sit, perspective is born of the place where
you work. In my case, I spent time in
the executive branch of government
in the Federal Aviation Administration, the General Services Administration, and the departments of the Navy,
Transportation, and Veterans Affairs.
My entry- and mid-level years were
It is important to recognize that, when it comes to
Congress, different rules apply and a little preparation
goes a long way.
to maintain a healthy tension between
the branches.
For officials on either side, the
secret to being effective and prevailing on issues that matter is to be proficient in operating at this intersection
of government.
That is not always the case, of
course. If the issues are small or
mundane enough, components of any
branch of government below a certain
level can operate almost unimpeded.
The situation changes when issues
are bigger, more important and more
contentious.
In other words, not all agency officials will need to interact with members of Congress or their staffs. For our
consideration, however, let’s assume
that your program or policy area draws
congressional interest, which means
you must be able to coexist with Congress in order to effectively do your
job.
Almost by definition, congressional
interest means contention and differences in opinion. Any large program
that has winners or losers, real or
perceived, will fall into this category.
Even programs with Mary Poppinstype objectives, such as saving taxpayer dollars, produce winners and
losers and will therefore encounter
advocates for different ways of performing the program.
The variety of stakeholders in government programs and policies is
sometimes mind-boggling. Constituencies such as veterans, senior citizens,
students and farmers are among the
best-known, but they are far from
alone. Pick a topic, and then educate
yourself on the amazing range of interested parties. Executive branch lead-
ers often look at issues in a myopic
operational or technical way, without
regard to the constituencies that might
be interested. Who supports or opposes your initiative is not something you
want to learn for the first time at a congressional hearing.
Tip 2: Build relationships before
you are called to testify
I still marvel at how badly some witnesses perform during congressional
hearings, and to see members of the
executive branch show up poorly
prepared and poorly positioned with
regard to congressional staffs is particularly disappointing. Although preparation depends on staff work in the
few weeks leading up to the hearing,
positioning is dependent on what you
and your staff have been doing for the
past two to three years.
It is critical to work with congressional staffers on a regular basis. Often
this means visiting them to provide program updates and briefs, even when
there might not be much going on. Routine briefings on important programs
are important to do often and in small
doses. Telling the story as it happens
increases credibility and allows time
for the staff members to absorb the
complexities and complications of the
program.
Waiting for your program to become
interesting to congressional staffers is
not a good idea. It means others have
likely defined the issues for you, and
it will raise the question of why you
haven’t been more forthcoming.
Tip 3: Know what type of
hearing you’ll be attending
Even with the best relationship-build-
ing efforts, big and contentious programs will often reach a point where
congressional committees feel they
need to air the issues publicly in a
hearing. Press coverage and congressional attention will vary depending
on the level of public interest. A lowinterest hearing — to discuss a small
agency’s budget, for example — will
have no public audience, few lawmakers or staff members attending, and
two or three agency executives at the
microphones. These are sleepers, and
it’s important to stay awake and not
offend anyone. Let’s call this a Type
C hearing.
The next level of hearing — a Type
B — will be a full-blown affair in the
committee chambers with members of
the public present, most lawmakers’
chairs occupied, and some trade and
mainstream press reporters attending. There will often be photographers
shooting these inside-the-Beltway types
of events. Such hearings are important
to the stakeholders involved and will
appear in the Congressional Record,
but they are unlikely to make the evening news.
Type A hearings are the ones we see
on television. Cameras capture people
being sworn in, witnesses sweating,
lawmakers being concerned or horrified, and crowds of reporters — all
under the blinding TV lights. Type A
hearings are shows. Symbolism is
paramount, messages are important,
and changes are likely to be made as
a result.
Tip 4: Do your homework, and
practice, practice, practice!
My experience with being a witness
at Type A and B hearings has taught
October 30, 2012
FCW.COM
21
How to get along with Congress
me some valuable lessons. First, the
notice that you are being called to
testify is a sobering event — not as
sobering as being sworn in before
the committee and cameras, but it
will raise your pulse rate.
Preparation for the event is essential,
and having members of your support
staff who are experienced and competent is a must. The first time I was called
to testify, my head of congressional
affairs was a former congressman and
committee chairman. His demeanor and
experience lowered my blood pressure.
And although issue papers, congressional staff questions and research are
all vital, it doesn’t hurt to gather political intelligence. Find out what you can
about the members of the committee
— such as their biases, favorite issues
and where they are from.
Rehearse for the hearing by having
your staffers ask the kinds of hard
questions that are likely to come from
committee members. The drill is likely to highlight your weaknesses. Urge
your team to be combative and even
a little nasty during this exercise. The
experience should be the worst you
will see, not the best.
Also, it is critical to know what
prompted the hearing and the back
channels that were worked before the
hearing was called. The most adversarial questions likely will not come from
the committee staffers with whom you
usually work; they often come from
unhappy constituents with an ax to
grind. If you know who’s unhappy, you
can better prepare to address their concerns and accusations.
Tip 5: Document your case
Live statements at the witness table
are only part of the equation. You
should also prepare three documents
for the hearing.
The committee will ask for the
opening statement in writing at least
24 hours before the hearing. That statement is for the Congressional Record
and, within reason, can be any length.
22
October 30, 2012
FCW.COM
The second document is the one you
read to the committee after you are
sworn in. You will typically be given
five minutes for that oral statement.
Don’t take the full five. Members are
usually inattentive, even if they are
present, and don’t want to hear you
drone on. Take three minutes, catch
them off guard and give them back two
minutes of their lives.
The third document is for the press.
It is written in plain English and
explains what your statement said and
why the hearing was called. That document will often appear almost verbatim
in press articles. Don’t complain about
the press coverage if you didn’t prepare
that third document.
Tip 6: Keep your cool
In general, be relaxed, dress for TV,
and be polite and well mannered.
Limit your remarks beyond answering questions, and don’t talk loosely
during recesses or breaks. You don’t
know who is nearby and what microphones are still open.
Part of preparation is trying to anticipate the questions and their tone and
then phrase the proper answers. The
subtle part of the hearing is the banter
and attitude of the participants. Listen
carefully to the opening remarks and
adjust accordingly. Be on the lookout for those “zinger” questions from
unhappy parties you identified earlier.
Those are often easy to spot because
they have an edge that exposes the
unhappiness. If you are asked, “Is your
agency so efficient that it received 140
pages of comments on Friday and still
released the request for proposals on
Monday?” you know the question was
not submitted by your friend. The only
defense to that type of ambush question
is superior intelligence gathering. If you
get such a question, be gracious, thank
the lawmaker for his or her attention to
your agency’s efficiency and answer the
question as best you can.
Another tactic of trial lawyers and
committee members is the hypothetical
question: “Mr. Woods, if you could do it
over again….” Hypothetical questions
attempt to draw out a damaging answer
to an inquiry without foundation. When
a question contains the words “if” or
“looking back” or “in retrospect,” you
are being asked to answer a hypothetical question. Don’t do it.
The best retort was given by Sandra Bates, former commissioner of
GSA’s Federal Technology Service.
When she got a “looking back” question from former Rep. Tom Davis, who
was chairman of the House Government Reform Committee at the time,
Bates answered, “My mother said it
was OK to look back as long as you
didn’t stare.”
The key to responding to those questions is not to give them credence. In
other words, dumb questions should
not be given serious answers or consideration. “If we could turn back
the clock 50 years” doesn’t warrant
a thoughtful reply unless you know
something I don’t about the existence
of time machines. A question that
begins “If you were 7 feet 4 inches
tall” deserves an answer such as “I
would be working for the NBA, not
for this agency.” Remember: Real questions cannot be answered by fantasy
answers, and fantasy questions should
not be answered by real ones.
Everyone would benefit from better communication between the executive and legislative branches. Although
there are times when those interactions
seem less effective and border on being
toxic, I believe the basics of building
relationships and making government
work better are much as they have
always been. Honesty and directness
are important, but you will never get
there without preparing and carefully
managing perceptions. ■
Bob Woods is president of Topside
Consulting Group and former commissioner of the General Services
Administration’s Federal Technology Service.
EXCLUSIVE FOR FULL CONFERENCE REGISTRANTS!
HEAR FROM TECHNOLOGY POWERHOUSE,
MICHAEL SAYLOR!
Best-selling Author of The Mobile Wave
KEYNOTE PRESENTATION: NOVEMBER 29, 9:00 AM – 10:00 AM
NOVEMBER 28-29
WASHINGTON, DC
WALTER E. WASHINGTON CONVENTION CENTER
FREE EXPO: NOV 28
PREPARE FOR THE MOBILE
WAVE OF THE FUTURE
MIT graduate, formidable intellectual and local legend Michael Saylor,
will plunge into his ground-breaking analysis on how mobile intelligence
will redefine the lives of people around the globe.
As Saylor provides a 360° view of what’s in store for the future of
mobile, you’ll take away a sweeping forecast on how Mobility will
transform your agency/organization and life.
SAVE $200
WITH THE
EARLY BIRD
RATE!
REGISTER NOW!
USE CODE: GOVEB
PRODUCED BY
SEE WHAT’S INCLUDED IN YOUR FULL CONFERENCE REGISTRATION
@
govinfosummit.com/registration
MAJ. GEN. MARK BOWMAN:
Leading
DOD
across the
enterprise
finish line
BY A M B E R C O R R I N
24
Month xx,
October
30,2012
2012 FCW.COM
FCW.COM
T
he Defense Department is
changing. From the outside, the reasons might
seem obvious: Wars are
winding down, budgets are
being cut, and national security policies
are changing. And to varying degrees, all
those things are indeed shaping the nextgeneration DOD.
But on the inside, there is a slightly different view. While budgets and geopolitics
are driving some contraction, the department is also becoming leaner because its
leaders want to build a better connected,
more agile organization. IT is playing a
key role in bringing together the military
services to share information, services,
platforms and costs. And behind the
scenes, Army Maj. Gen. Mark Bowman
is quietly helping to drive that change.
Bowman, who in March was tapped to
be director of command, control, communications and computers and CIO at
the Joint Staff, is resurrecting that briefly
shuttered function, known as J6. And,
flanked by an accomplished team of
defense IT professionals, he is breaking
down the walls that have long hindered
sharing.
A believer in communications, the network and the technologies that advance
them, Bowman consistently stresses that
IT can change the way DOD does business. He readily acknowledges the hurdles before him, but multiple supporters
said Bowman knows, firsthand, what this
kind of evolution can herald.
Perhaps equally important, Bowman is
a believer in the enterprise concept and
what it can do for the military.
“We have a fiscal environment that’s
now going to be different than it has in
the past,” Bowman said in an interview
with FCW. “We’ve had 10 years of war
and lots of money coming in and lots of
upgrades on the forward edge that we’ve
adopted back here [at home]. We’re not
going to have that money. We’re going to
have to capitalize on what the other guy’s
got and share costs instead of doing it all
ourselves.”
The logistics behind
becoming an enterprise
Change is not easy for any
agency, but historically it
has been particularly difficult at DOD. Although
rich in military tradition,
the divisions that have
long separated the Army,
Air Force, Navy and Marine
Corps can make it hard to
share critical information
in an era of coalition warfare and networks that are
unconstrained by conventional boundaries.
Bowman recognizes
that challenge, but said
he is determined to overcome the resistance to
change that reinforces such
divisions.
His strategy? “It’s 100
percent leadership. It’s
talking to people and
getting them to realize that Wayne Gretzky
didn’t get to be the greatest hockey player in the
world because he played
the puck where it was
or where he wanted it to
be. He wasn’t the biggest,
he wasn’t the fastest, he
wasn’t the strongest, but
he knew to skate where
the puck was going to be,”
Bowman said. “What we
need to convince people
is that change isn’t bad. Change is necessary. This is a
way to do it. Now let’s be part of the solution as opposed
to [being] expert problem identifiers.”
That faith in the power of leadership, however, does
not translate into an overly top-down approach. “The way
I play it is it’s much less about me and much more about
the team. I’m just a happy member of the team,” Bowman
said. “This is a team sport. We’re all in this together, and
we all need to be pulling for enterprise solutions together.”
Those who have worked with Bowman paint him as
a strong leader whose approach to his new role — he
was confirmed in late September — is exactly what is
needed to usher in the evolution necessary to achieve
an enterprise-focused DOD.
“Gen. Bowman is a senior
leader who gets things over
the finish line,” said Col. John
Schrader, chief of staff at the
Army National Cemeteries Program. “He doesn’t like wasting
time — his, his people’s or his
bosses’.”
Schrader worked with Bowman in the 1990s and again
more recently at the Army
CIO’s office. He said for Bowman it is all about getting warfighters what they need. “That’s
his gift — focusing large organizations on what really matters,” Schrader said. “It’s
never about him. It’s always
about the unit, the organization, the Army, the Defense
Department.”
These days, much of Bowman’s focus is on some of the
core components of his enterprise vision, including the Joint
Information Environment. The
comprehensive, coalitionaimed program is designed
to provide a seamless, holistic operational view to troops
everywhere, improving the
speed and ability to share data
and intelligence regardless of
location or mission.
“The desire for coalition
partners to share classified
information [and] mission
information among each other
is huge and can never be understated,” Bowman said.
“With JIE, we can have a network that’s operational for
any type of mission — combat, disaster relief, homeland.
Having something like a hurricane or a tsunami causes
people to have to work together.… If we have an environment like that, where we can go anywhere we need to
and share at any classification throughout the operation,
we’ll get much better results.”
A key part of JIE is the Future Mission Network, a
follow-on to the ad hoc Afghanistan Mission Network that
evolved from the need to communicate across coalition
forces in that country. Bowman has been heavily involved
in both efforts and said he will continue to be as the
“We’re going to have
to capitalize on what
the other guy’s got and
share costs instead of
doing it all ourselves.”
October 30, 2012
FCW.COM
25
MAJ. GEN. MARK BOWMAN
Future Mission Network evolves into an even broader
mission partner environment.
The coalition communication programs have proved
invaluable in battle zones, and they are a cornerstone of JIE
and a prime example of the department’s enterprise efforts,
Bowman said. He is helping direct the initiative’s ongoing development, including meeting biweekly with other
executive-level DOD officials to closely monitor progress
and chart the way ahead.
“We have to make sure we don’t lose momentum. The JIE’s
a wonderful thing, but it doesn’t have irreversible momentum
behind it yet,” he said. “If it were left alone, it would go right
back to where it was — everyone doing their own thing —
and we can’t afford that, operationally or financially.”
It is that kind of focus that makes those who know Bowman say the program could not be in more capable hands.
“Mark brings an incredible mix of tactical and operational
signal experience, plus an extraordinary understanding of
joint operations,” said retired Lt. Gen. Jeffrey Sorenson,
former Army CIO and now a partner at consulting firm
A.T. Kearney. “Simply stated, he’s the right guy at the right
time in the right place. He will help drive the JIE to reality.”
Staying open to new ideas
The Joint Staff position is not Bowman’s first run as a leader
or as a CIO, but it is the first time anyone has been both C4
director and CIO at the Joint Staff. For him it makes sense:
When J6 was disestablished two years ago as part of former
Defense Secretary Robert Gates’ efficiency measures, it left
a gap in network connectedness for the military.
“With the increased dependence on the network, the
increased threats to the network and the fiscal environment
we’re in, it just makes sense to have it all together so we
can be mutually supportive and push it forward,” Bowman
said. “The environment is just perfect for success today.…
We’re dealing with that reality, and we can do better than
we have in the past.”
Part of doing things better is starting from within the
organization, said Bowman, who sees his directorate as
a prime place for testing new capabilities before fielding
them more broadly. Examples include enterprise e-mail,
thin-client technology and efforts to reduce costs by cutting down on printing.
“We’re open to new ideas. What we’re going to do here at
J6 is always try it out ourselves first,” he said. “We identify
issues and get it fixed, then we start working with other
directorates and activities to put them on as pilot users.”
Those experiments serve to identify potential savings
and push DOD toward its enterprise vision. By getting new
capabilities right at J6 first, it makes makes the transition
easier and helps overcome the cultural barriers while also
proving the viability of shared resources and services, bring26
October 30, 2012
FCW.COM
ing the forces together, and improving defense.
“Everything is a learning process, and we have to learn
as we go,” Bowman said. “We need to adapt with the times.
Our adversaries are using commercial off-the-shelf technology; they’re adapting. It would be irresponsible of us not
to change.”
The lessons have helped shape the leadership role he has
taken on, garnered from his experience in helping guide budgeting, strategy and oversight of $5 billion in Army defense
IT, leading data center consolidation efforts, modernizing
the Army through the Base Realignment and Closure program, and redesigning the Signal Regiment. Bowman characteristically shares the credit for those accomplishments
with his colleagues.
“You take all the things you’ve worked with in the past,
and quite frankly, they’re not all my ideas,” he said. “It’s
obvious things were done in the past that we could do
better and more securely in the future if we work together
as an enterprise approach. There is no room for cultural
differences.… It’s about working together and sharing the
view of the network together. If I were asked if I have a
quest, that’s it: for everybody to be one radius away from
what’s going on.” ■
Federal 100: What it takes
Before Maj. Gen. Mark Bowman was CIO for the Joint
Staff, he was a Federal 100 winner. He won in 2011 for
his leadership on data center consolidation, telecommunication systems and a ground-up redesign of the Army’s
Signal Regiment. Defense Department Deputy CIO
Robert Carey said at the time that Bowman transformed
“how the Army provides communications to warfighters
on the ground.”
It is for leaders like these that FCW created the annual
Federal 100 awards to recognize 100 individuals in government and industry who have played pivotal roles in
the federal IT community. The nomination period for 2013
opens Nov. 1.
Federal 100 awards are for individual achievement, not
teams or projects. And although previous publicity is no
disqualifier, we are looking for the unsung heroes who
have made a difference through their creativity, energy
and sheer tenacity.
All nominations must be made online at FCW.com and
must be submitted by midnight on Dec. 21. Go to fcw.
com/fed100 to learn more and help identify the next
Federal 100.
NOVEMBER 28-29, 2012
WASHINGTON CONVENTION CENTER
GET THE
BLUEPRINTS
YOU NEED TO
TRANSFORM
YOUR AGENCY!
Don’t miss out on the “town
meeting” for EA Professionals
The 10th Annual Enterprise Architecture Conference is a
forum for government IT professionals to share perspectives
on the current state and future role of EA in government.
You’ll learn about the real world tools and technologies that
advance strategic planning in compliance with federally mandated
initiatives in:
FREE EXPO
NOVEMBER 28!
REGISTER NOW!
Use promo code: Goveb
• Cloud computing
• Information sharing
• Cybersecurity
…and more!
SAVE $200!
REGISTER NOW TO GET YOUR EARLY BIRD SAVINGS.
govEAconference.com
PRODUCED BY
ExecTech
Disaster recovery:
Should you trust it
to the cloud?
BY A L A N J O C H
Implementing a disaster recovery
plan can be like eating vegetables,
getting enough fiber and sleeping at
least eight hours a night. Most people understand why these things are
important, but few do them religiously.
The problem is that traditional
disaster recovery methods call for recreating the full IT environment at a
separate off-site facility to keep agencies safe from unplanned IT outages.
The investment in redundant resourc-
es pays off if a server gets fried, some
stealthy malware takes down a storage system, or a hurricane forces a
data center evacuation.
But on most days, when disasters
don’t strike, all that duplicate hardware and software are running in
standby mode and not contributing
meaningfully to the agency’s daily
operations. That is a tough expense
to justify, particularly in times of tight
IT budgets.
And so a growing number of IT
managers are considering a way to
change the equation: cloud-based
disaster recovery, also known as DR
as a service (DRaaS). With this option,
agencies subscribe to a third-party
cloud service to avoid the upfront
costs of buying, installing and managing the necessary hardware and software. Instead, they pay a monthly fee
for storing duplicate copies of data
and applications at an off-site location.
Next steps:
Questions to ask cloud providers
A lot rides on cloud-based disaster recovery. Here are the questions agencies
must ask before signing a contract.
1
2
3
4
5
6
7
8
Is the service provider
certified under the Federal
Risk and Authorization
Management Program?
What penalties will
result if the service
provider fails to meet
the recovery time and
recovery point objectives
spelled out in the servicelevel agreement?
28
October 30, 2012
FCW.COM
What are the
service provider’s financial
condition, track record
and length of time in the
cloud-based disaster
recovery market?
What are the base fees
for data replication
in a non-disaster situation,
what additional fees will
arise during a recovery, and
will those charges be a onetime or a daily fee for the
length of the recovery?
Where will my data
be physically stored
when it is in the cloud,
and will that conflict
with any of my agency’s
internal policies or federal
regulations?
Are the widearea network
connections to the cloud
sufficient to ensure
adequate performance
when sending data
between the main and
backup facilities?
Will the recovery
site be far enough away
from the production
facility that both won’t
be affected by the same
regional disaster?
How frequently
will the service
provider conduct tests
of the disaster recovery
capabilities, and what
will be the agency’s role
and responsibilities during
testing?
SPECIAL
ECIAL REPO
REPORT
“You’re only going to pay for what you need rather
than for an entire duplicate of everything that’s sitting idle waiting for a disaster,” said Chuck Riddle,
CIO at the Government Printing Office. He said his
department is actively evaluating cloud-based disaster
recovery but has not made the move yet. “Done correctly, it opens up a lot of options for doing disaster
recovery better than in the past, but the devil’s always
in the details when it comes to how you actually move
forward.”
CConverging
i
Communications
Communications
Why it matters
Because disaster recovery investments have been difficult to justify, some organizations have attempted to
do it on the cheap, said Rachel Dines, a senior analyst
at Forrester Research. For example, they might buy
only enough duplicate resources to protect missioncritical applications, leaving second-tier but still valuable systems vulnerable to extended outages.
But the economies of scale offered by clouds could
mitigate those trade-offs. New data from Forrester
shows an increasing interest in cloud solutions for
disaster recovery. The firm approached IT managers
whose organizations have already adopted infrastructure as a service and asked how much the access to
improved disaster recovery had factored into their
decision. Almost half said it was very important, and
another 28 percent ranked it high on the importance
scale, Dines said.
Paying only for the resources you need — and only
when you need them — is not the only appeal, analysts say. Another potential benefit is faster recovery
times. The classic benchmarks of effectiveness are
recovery time objectives (RTOs) and recovery point
objectives (RPOs). The former is an estimate of how
fast critical resources will be returned to normal after
a disaster, while the latter defines the point from
which data will be restored — for example, when the
failure occurred or as of the previous night’s backup.
“Many of the clients we talk to who are interested
in recovery as a service are looking for improvement
in their RTOs and RPOs,” said Kevin Knox, a research
director at Gartner.
DRaaS can also help IT managers sleep better
at night because regular testing is written into the
solution’s service-level agreement (SLA). By contrast,
testing can fall through the cracks in traditional environments because it disrupts daily operations, Riddle
said.
But IT managers must weigh a number of pros and
cons when they consider DRaaS. “DR in a cloud is
by no means a slam dunk,” said Yogesh Khanna, vice
TO LEARN MORE, VISIT
FCW.com/ConvergingComm
TOPICS INCLUDE
IP convergence is a must
for future communications
Voice is still the core
of converged communications
The cloud will play a big part
A focus on security is essential
to convergence
DOD plans base the future
on IP convergence
SPONSORED BY
Level 3 Communications
SCAN THIS QR CODE
with your smartphone
for the full research report.
October 30, 2012
FCW.COM
29
ExecTech
president and chief technology officer of IT infrastructure solutions for
CSC’s North American Public Sector.
One of the biggest challenges
remains the lack of industry standards regarding what deliverables
should be included in a DRaaS package. “Because the space is still very
new, I wouldn’t take anything for
granted when you are negotiating
SLAs,” Dines said.
Another potential stumbling block
is the need to sort out complex interconnections in existing IT systems
before duplicating them in the cloud.
“Sometimes it’s not clear what all the
interdependencies are for applications you’ve been running for the
last 20 years,” Riddle said.
The fundamentals
What should you consider before
trusting the cloud for disaster recovery? The first step is deciding on the
right cloud model — public, private
or a hybrid of the two. Moving to
a public cloud service is best for
agencies that have relatively homogeneous infrastructures — namely,
virtualized x86 servers rather than a
mix of Unix and mainframe servers,
Knox said.
IT organizations with mixed platforms should consider a private or
hybrid cloud strategy instead. “In
larger enterprises, people aren’t asking, ‘How am I going to recover my
mainframe in the cloud?’” he said.
“The more heterogeneous the environment, the more complex [disaster
recovery] gets because of different
types of hardware and platforms,
recovery times, recovery points, and
tiers of applications.”
Technological diversity is not the
only consideration. Agencies should
also carefully evaluate the kind of
data they might be sending to the
cloud, Khanna said. For security
reasons, mission-critical applications or those that hold classified
data should remain in a private cloud
30
October 30, 2012
FCW.COM
or a shared government cloud. Less
critical resources could be protected
by a public DRaaS solution.
“Not all applications and data
are classified or top secret — even
in intelligence agencies and the
[Defense Department],” Khanna said.
“So they absolutely could go into a
public cloud.”
Other security considerations stem
from how data will be protected as it
is being transferred to and from the
recovery site, and while it is housed
in the cloud. Encryption and twofactor access controls are a must,
he said.
Khanna also said agencies should
decide what RTOs each application
requires and let that guide deployment decisions. “If I go to a public
cloud, I may be riding on a public
infrastructure and whatever SLA I
can negotiate,” he said. “So I may get
better RTOs from a private cloud.”
The hurdles
Planning and a needs analysis alone
won’t guarantee success, experts say.
IT managers should also prepare for
some common challenges associated
with DRaaS.
Fees can be a shock if they’re not
clearly defined during the SLA negotiation process. Analysts said many
DRaaS solutions charge a basic
monthly fee to cover daily data replications and the cloud resources
necessary to prepare for a disaster.
But agencies should also be prepared
for additional, so-called declaration
fees, the costs that kick in when a
customer “declares” that a crisis
is unfolding and recovery mode is
launched. Declaration fees might be
levied for each day the agency is in
recovery mode.
Other pricing confusion comes
about because some service providers use their own models rather
than an industry-accepted standard.
For example, one provider might set
prices according to the number of
virtual machines being protected,
while another might use the number of processors as the benchmark.
“It’s been hard to make apples-toapples comparisons,” Knox said.
Fortunately, there are signs that
the situation is changing. A recent
industry trend is to base pricing on
a combination of connection costs,
memory, disk space and the number
of virtual machines. “We are starting
to see some standardization around
those four core areas for pricing,”
Knox said.
Another potential snag: Cloud providers frequently oversubscribe their
services by signing up more customers than can be accommodated if
disaster strikes them all at the same
time. That approach is not inherently bad, Dines said, because it helps
bring down subscription costs. But
agencies should question a potential
service provider about how it will
keep from becoming overwhelmed.
“I would ask what safeguards they
have put in place to make sure that
there will never be resource conflicts
at time of declaration,” she said.
“That might be as simple as making sure that they’ve got customers
from a wide geographic range so it’s
unlikely that they’d all be declaring
at the same time.”
Finally, agencies should avoid the
temptation to view DRaaS as a setit-and-forget solution.
“I’ve met organizations that say,
‘I’m sending DR to the cloud; I’m
not going to think about it again,’”
Dines said. “I’ve seen organizations
lose focus because they’ve moved DR
to the cloud.”
But even with a cloud solution,
agencies must continue to perform
all the associated duties that go
along with a disaster recovery program, including conducting business
impact assessments, risk analyses
and tests with internal staff.
Some vegetables you just can’t
avoid eating. ■
DrillDown
A 21st-century approach
to democratizing data
The Internet has become a ubiquitous kiosk for posting information. The government’s role
in collecting and disseminating data should change accordingly.
BY C H R I S T O P H E R J . LYO N S A N D M A R K A . F O R M A N
“Unbelievable jobs numbers... These Chicago guys will do anything,” Jack Welch
tweeted.
Not surprisingly, the recent steep drop
in the unemployment rate has given rise
to conspiracy comments and discussions
about how the rate is derived. Maybe the
employment rate is inflated. Maybe it is
understated for months. Maybe seasonal
adjustments play a part. Maybe.
Recent “democratizing data” concepts hold great promise for improving accountability and even increasing
value from the billions of dollars spent on
thousands of government data-collection
programs. Yet when doubts dominate
market-moving, election-shifting data, it
is clear that America needs government
to change more than how it distributes
data. Should government collect the same
data and in the same way that it did in the
last century? More important, should government’s central role in collecting and
disseminating data be changed?
Every day an organization near Boston sends its agents out to collect the
prices of thousands of items sold by
hundreds of retailers and manufacturers around the world. The agents are
dozens of servers using software to
scrape prices from websites. In nearreal time, the price data is collected,
stored, analyzed and sent to some of
the largest investment and financial
organizations on the planet, including
central banks.
This is the Billion Prices Project run
by two economics professors at the Massachusetts Institute of Technology. With
a 21st-century approach, two people can
collect and analyze the costs of goods
and services purchased in economies
all over the world using price data readily available online from thousands of
retailers. They mimic what consumers
do to find prices via Amazon, eBay and
“
through the best methods available in the
20th century — surveys and sampling
— and built huge computer databases
on a scale only the government could
accomplish and afford. Even today, the
CPI is based on physically collecting —
by taking notes in stores — of the prices
for a representative basket of goods and
services. The manual approach means
the data is not available until weeks after
Non-government entities are
increasingly filling the information
quality gap, generating the timely,
trusted data and statistics that
businesses and policy-makers use —
and pay for.
Priceline. The Billion Prices Project does
not sample. It uses computer strength to
generate a daily census of the price of all
goods and services. It routinely predicts
price movements three months before
the government Consumer Price Index
(CPI) announces the same.
Beginning in the early 20th century, the
Bureau of Labor Statistics responded to
the need to determine reasonable costof-living adjustments to workers’ wages
by publishing a price index tied to goods
and services in multiple regions. Over
time, government data collections grew
”
consumers are already feeling the impact.
The federal government’s role as chief
data provider has resulted in approximately 75 agencies that collect data using
more than 6,000 surveys and regulatory
filings. Those data-collection activities
annually generate more than 400,000
sets of statistics that are often duplicative, sometimes conflicting and generally
published months after collection. The
federal government is still investing in
being the trusted monopoly provider of
statistical data by developing a single portal — Data.gov — to disseminate data it
October 30, 2012
FCW.COM
31
DrillDown
collects using 20th-century approaches.
However, it is worth asking why
government would invest any taxpayer dollars in finding new ways to
publish data that is weeks out of date.
More importantly, in an age in which
most transactions are accomplished
electronically, does it make sense to
spread economic data assembled as
if we were still in the 20th century?
The lessons from the Billion Prices
Project lie in its 21st-century approach,
which affects the breadth, quality, cost
and timeliness of data collection. It is
an excellent example of how the rise
of the Internet as the ubiquitous kiosk
for posting information and the unstoppable movement to online transactions
require changing government’s 20thcentury approach to collecting and
disseminating data.
The trusted information provider
role of government is ending, and
new ways to disseminate long-standing
datasets will not change that. Non-government entities are increasingly filling
the information quality gap, generating
the timely, trusted data and statistics
that businesses and policy-makers use
— and pay for. The Case-Shiller indices, compiled by Standard and Poor’s
using transaction data, are the standard for determining trends in housing
prices. The ADP National Employment
Report, generated from anonymous
payroll information, is widely trusted
to accurately relay changes in national
employment.
It is time for the government to reconsider its role in data collection and dissemination. The 21st century is characterized by digital commerce that makes
large amounts of transactional data available as those transactions occur. Government efforts to collect and analyze
data — much like the U.S. Postal Service
in the face of texting and e-mail — are
becoming more disenfranchised the lon-
ger they ignore the paradigm shift.
Statistics developed by independent organizations and companies are
already essential to markets, businesses and policy-makers, and the government is increasingly a marginal player.
As long as the methods of collection
and analysis are open and auditable,
government might be better served by
shifting away from being a producer to
simply being a consumer. ■
Christopher Lyons is an independent
consultant who works primarily with
government clients on performance
improvement and adoption of commercial best practices. Mark Forman
was the government’s first administrator for e-government and IT and
is co-founder of Government Transaction Services, a cloud-based company
that simplifies and reduces the burden of complying with government
rules and regulations.
Statement of Ownership, Management and Circulation
1.
2.
3.
4.
5.
6.
7.
8.
9.
Title of Publication: Federal Computer Week
Publication Number: 0893-052X
Filing Date: 09/28/12
Frequency of Issue: Two issues monthly except in Jan., Feb., and Dec.
Number of Issues Published Annually: 21
Annual Subscription Price: US $125, International $165
Complete Mailing Address of Known Office of Publication: 9201 Oakdale Ave., Ste. 101, Chatsworth, CA 91311
Complete Mailing Address of the Headquarters of General Business Offices of the Publisher: Same as above.
Full Name and Complete Mailing Address of Publisher, Editor, and Managing Editor:
Anne A. Armstrong, President, 8609 Westwood Center Dr., Ste. 500, Vienna, VA 22182-2215
Jennifer Weiss, Group Publisher, 8609 Westwood Center Dr., Ste. 500, Vienna, VA 22182-2215
Troy K. Schneider, Executive Editor, 8609 Westwood Center Dr., Ste. 500, Vienna, VA 22182-2215
Terri J. Huck, Managing Editor, 8609 Westwood Center Dr., Ste. 500, Vienna, VA 22182-2215
10. Owner(s): 1105 Media, Inc, dba: 101communications LLC, 9201 Oakdale Ave, Ste. 101, Chatsworth, CA 91311. Listing of shareholders in 1105 Media, Inc.
11. Known Bondholders, Mortgagees, and Other Security Holders Owning or Holding 1 Percent or more of the Total Amount of Bonds, Mortgages or Other Securities:
Nautic Partners V, L.P., 50 Kennedy Plaza, 12th Flr., Providence, RI 02903
Kennedy Plaza Partners III, LLC, 50 Kennedy Plaza, 12th Flr., Providence, RI 02903
12. The tax status has not changed during the preceding 12 months.
13. Publication Title: Federal Computer Week
14. Issue date for Circulation Data Below: September 30, 2012
15. Extent & Nature of Circulation:
Average No. Copies Each Month
No. Copies of Single Issue
During Preceding 12 Months
Published Nearest to Filing Date
a. Total Number of Copies (Net Press Run)
b. Legitimate Paid/and or Requested Distribution
1. Outside County Paid/Requested Mail Subscriptions
Stated on PS Form 3541
2. In-County Paid/Requested Mail Subscriptions
Stated on PS Form 3541
3. Sales Through Dealers and Carriers, Street Vendors,
Counter Sales, and Other Paid or Requested
Distribution Outside USPS®
4. Requested Copies Distributed by Other Mail
Classes Through the USPS
c. Total Paid and/or Requested Circulation
d. Nonrequested Distribution
1. Outside County Nonrequested Copies Stated
on PS Form 3541
2. In-County Nonrequested Copies Distribution
Stated on PS Form 3541
3. Nonrequested Copies Distribution Through the
USPS by Other Classes of Mail
4. Nonrequested Copies Distributed Outside the Mail
e. Total Nonrequested Distribution
f. Total Distribution
g. Copies not Distributed
h. Total
i. Percent paid and/or Requested Circulation
67,514
56,699
52,836
43,806
0
0
12,926
11,251
0
65,762
0
55,057
943
993
0
0
469
1,412
67,174
340
67,514
97.90%
0
0
244
1,237
56,294
405
56,699
97.80%
16. Total Circulation includes elections copies. Report circulation on PS Form 3526X worksheet.
17. Publication of Statement of Ownership for a Requester Publication is required and will be printed in the October 30, 2012 issue of this publication.
18. I certify that all information furnished on this form is true and complete:
Jenny Hernandez-Asandas, Director, Print and Online Production
32
October 30, 2012
FCW.COM
Advertiser Index
Akamai Government Forum
www.akamaigovernmentforum.com . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
General Dynamics Info Tech
www.gdit.com . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Brocade Communications
www.brocade.com/everywhere. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-7
GIAS
www.govinfosummit.com . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
CenturyLink Government
www.CenturyLink.com/federal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
IBM Corp
www.ibm.com/usingbigdata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Computer Sciences Corp
www.csc.com . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Level 3 Communications,Inc.
www.level3.com . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Enterprise Architecture Conference
www.govEAconference.com . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
U.S. General Services Admin.
www.gsa.gov/atyourservicecmp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
This index is provided as an additional service. The publisher does not
assume any liability for errors or omissions.
AZ, AK, CO, HI, IA, ID,
IL, IN, KS, MI, MN,
MO, MT, ND, NE, NM,
NV, OK, TX, UT, WI, WY,
British Columbia
CA, OR, WA
DC, MD, VA
CT, MA, ME, NH, NJ, NY,
PA, RI, VT, Eastern Canada
AL, AR, DE, FL, GA, KY,
LA, MS, NC, OH, PA, SC,
TN, WY
MEDIA CONSULTANTS
■ Jessica Marty
(916) 740-3308
jmarty@1105media.com
■ Tania Norris
■ (410) 552-5899
tnorris@1105media.com
■ Mary Martin
(703) 222-2977
mmartin@1105media.com
■ David Tucker
(515) 256-0156
dtucker@1105media.com
■ Matt Lally
(973) 600-2749
mlally@1105media.com
Vice President of Sales
Production Coordinator
Stacy Money
(415) 444-6933
smoney@1105media.com
Lee Alexander
(818) 814-5275
lalexander@1105media.com
©Copyright 2012 by 1105 Media, Inc. All rights reserved. Printed in the U.S.A. Reproductions in whole or part prohibited except by written permission.
Mail requests to “Permissions Editor,” c/o FCW, 8609 Westwood Center Drive, Suite 500, Vienna, VA 22182-2215. The information in this magazine has not
undergone any formal testing by 1105 Media, Inc. and is distributed without any warranty expressed or implied. Implementation or use of any information
contained herein is the reader’s sole responsibility. While the information has been reviewed for accuracy, there is no guarantee that the same or similar
results may be achieved in all environments. Technical inaccuracies may result from printing errors and/or new developments in the industry. Media Kits:
Direct your Media Kit requests to Carmel McDonagh, Vice President, Marketing, 703-876-5040 (phone), 703-876-5059 (fax) cmcdonagh@1105media.com.
Reprints: For single article reprints (in minimum quantities of 250-500), e-prints, plaques and posters contact: PARS International. Phone: 212-221-9595.
E-mail: 1105reprints@parsintl.com. www.magreprints.com/QuickQuote.asp. List Rental: This publication’s subscriber list, as well as other lists from 1105
Media, Inc., is available for rental. For more information, please contact our list manager, Merit Direct. Phone: 914-368-1000; E-mail: 1105media@meritdirect.
com; Web: www.meritdirect.com/1105.
1105 GOVERNMENT
CORPORATE HEADQUARTERS
9201 Oakdale Ave., Suite 101
Chatsworth, CA 91311
www.1105media.com
October 30, 2012
FCW.COM
33
BackStory
A cyber conundrum
Cyberattacks of all sorts are multiplying…
650%
50,000
1.8
increase in attacks on
federal agencies in 5 years
attacks on private and government networks
reported to DHS in a five-month span
successful attacks
against private firms per
company per week
At least 28 nations have cyber warfare capabilities
1. Australia
2. Brazil
3. Canada
4. China
5. Czech Republic
6. Estonia
7. France
8. Germany
9. India
10. Iran
11. Israel
12. Italy
13. Kenya
14. Myanmar
15. Netherlands
16. North Korea
17. Nigeria
18. Pakistan
19. Poland
20. Russia
21. Singapore
22. South Africa
23. South Korea
24. Sweden
25. Taiwan
26. Turkey
27. United Kingdom
28. United States
6
24
20
15
27
3
8 19
7
5
28
12 26
11
18
16
4
10
23
25
9
14
17
21
13
2
1
22
...U.S. agencies
are responding...
79%
39%
$
3 billion
of agencies say
cybersecurity is
a top IT priority
say cybersecurity is
THE top IT priority
is what DOD spends
annually on cybersecurity
...but the true costs are unclear
ProPublica has found that the widely touted figures of $250 billion a year in cyber-crime
costs for U.S. companies and $1 trillion globally are all but impossible to document.
34
October 30, 2012
FCW.COM
Sources: GAO, Bipartisan Policy Center,
Ponemon Institute, Jeffrey Carr, MeriTalk,
DOD, ProPublica. For links to sources and
additional details, please visit FCW.com.
REGISTER NOW!
3RD ANNUAL
INNOVATION FOR TOMORROW’S
DIGITAL GOVERNMENT
NOVEMBER 13, 2012
WILLARD INTERCONTINENTAL HOTEL,
WASHINGTON, DC
Join us on November 13 for the Akamai Government
PLATINUM SPONSOR:
Forum: a complimentary full day educational program on
current and emerging technology trends, and strategies
for optimizing your agency’s online operations.
GOLD SPONSORS:
You’ll hear how innovation is changing the information
access landscape and how you can keep pace with
what’s new and what’s next in online, cloud, and mobile
technologies.
SILVER SPONSOR:
FREE REGISTRATION AT
AkamaiGovernmentForum.com
SMARTER TECHNOLOGY FOR A SMARTER PLANET
FROM DETAILS TO DESIRES:
Companies aren’t short on
data. In fact, with the average
large business storing more
than 200 terabytes, companies
have more than enough data to
tell them who is buying their
product, as well as how, when
and where the buying happens.
DATA’S NEW VOICE.
Today, however, customers
expect a company to know why
they’re buying. Or why they
aren’t. Because when a company
knows what motivates customers,
it can serve them better.
The good news is such data
exists, just not in the columns,
rows, reports and purchase
histories we’re used to. It’s called
big data, and it comes from
tweets, videos, clickstreams and
other unstructured sources.
It’s the data of desire. And
today, we have the technology
and tools to make sense of it.
So now, instead of learning
which customers it has lost,
a company can learn which
customers it might lose and
present timely offers or
products motivating those
customers to stay. Using IBM
Smarter Analytics to identify
which customers were most
likely to switch to another
“For the first time,
we can decide which
promotions to run
based on facts rather
than gut feel.”
Patrick Neeley
Chief Business
Of ficer, Chickasaw
Nation Division
of Commerce
THE POWER OF BIG DATA.
2
1
0
3
4
$
5
£ €
$
¥
€
£
¥
#
8
6
€
¥
$
£
£ $
Combining big data with
company data paints a better
picture of the customer.
80%
of the data currently
produced is unstructured
—coming from sources
like images, videos,
tweets, posts and e-mails.
MINING MOTIVATION.
Enter Smarter Analytics from
IBM —software, systems and
strategies that help companies
combine their own enterprise
data with their consumers’
unstructured data to see a fuller
picture. A big data platform,
paired with predictive and
sentiment analytics, allows
organizations to correlate,
for example, sales records
with social media mentions
for more relevant insights.
communications carrier,
XO Communications was able
to predict likely customer
defections within 90 days,
reducing churn by 35 percent
the first year.
With IBM Smarter Analytics,
companies are gathering big
data and using it to ask— and
answer—smarter questions about
what their customers really want.
ibm.com/usingbigdata
Tweet
Tweet
Tweet
Tweet
Tweet
Tweet
Share
LET’S BUILD A
SMARTER PLANET.
IBM, the IBM logo, ibm.com, Smarter Planet and the planet icon are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. A current list of IBM trademarks is available on the Web at www.ibm.com/legal/copytrade.shtml.
© International Business Machines Corporation 2012.