Results tagged “budget” from Lohrmann on Infrastructure

The National Association of State CIOs (NASCIO) Midyear Conference for 2010 was held during the last week of April in Baltimore.  The attendance was the highest ever for a NASCIO Midyear Conference, and I was impressed with the content, speakers and overall agenda. This blog briefly covers some of the highlights from my perspective.

On Tuesday afternoon, a pre-conference session on Identity Management was held. We heard updates on ongoing activities in several states, Washington DC and federal agencies, and we discussed the upcoming draft document entitled: The National Strategy for Secure Online Transactions.  If you're looking for more information on this new national strategy, here's another article on this topic. The discussion and break-out sessions were excellent. This issue is sure to be a hot topic in coming months, so stay tuned for more updates on this pivotal aspect of digital government. (I plan to spend more time blogging on this topic later this summer.)

 The Weds afternoon members-only session began with a presentation by Federal CIO Vivek Kundra.  Here's an excerpt from the NASCIO website:

"Kundra challenged the CIOs to identify two areas where states and the federal government can collaborate on addressing challenges in information technology. Federal and state government spends billions a year annually on technology. With limited resources in federal and state government to carry out critical and non-critical services, we must work together in a state-federal IT partnership to find solutions and tools to get the maximum return on investment from information technology."

After Mr. Kundra, we heard from the Director of the US CERT, Randy Vickers. Mr. Vickers, who recently moved from "Acting Director" to become the formal US CERT Director, did a very nice job of articulating the various priorities that DHS is working on right now within the National Cyber Security Division (NCSD) and within a variety of public sector and private sector committees and working groups. The importance of fusion centers, the opportunity for more state CIOs to obtain security clearances, and pilot programs on cyber security, were just a few of the topics Randy mentioned.

The opening session on Thursday morning was perhaps my favorite session. The topic was: "Perspectives from Great Leaders: Visionaries, Role Models and Innovators." The moderator was Peter Harkness, founder and publisher emeritus, Governing. The speakers were Martha Dorris, Deputy Associate Administrator, Office of Citizen Services, US General Services Administration, Phyllis Kahn, Representative, State of Minnesota and Bill Purcell, Lecturer in Public Policy and the Director of the Institute of Politics, Kennedy School of Government, Harvard University.

Here were some interesting topics/comments that were discussed by this excellent panel:

·         Leaders understand where the organization is, where they need to go, and what the gaps are. They execute and deliver results.

·         Leaders act as a "heat shield."

·         Leaders are respected - but less fear used as a technique (than in earlier generations).

·         Leaders are on point and bring everyone home safe.

·         The debt crisis is the most predictable crisis we have ever faced.

·         Great quote: "I have friends on both sides of that issue and I'm with my friends."

·         Unhelpful techniques include concepts like "year of the child." (So next year we won't care about children?)

Other great sessions included Howard Schmidt's lunchtime keynote, new developments in wireless broadband, breakout sessions on topics like cloud computing and discussions on smart strategies with tight budgets.

Overall, I found the mid-year conference to be extremely valuable. The networking with colleagues from around the country was great, and the interaction amongst the states during the working sessions provided a unique opportunity. The federal government sent several high-level executives that clearly want to partner with the states in new and exciting ways.

The upcoming elections this fall have also focused everyone's attention in several ways. CIOs are asking what can be accomplished in the next six months that will show meaningful and lasting results. Many leaders within NASCIO are predicting that we will see many new CIOs by this time next year, so a big focus in the hallways was preparing for fall transitions and for new administrations in state capitals beginning in January. Some speakers predicted that CIO influence will also continue to rise.

If you are a state IT exec and missed the conference and/or you are thinking about the rest of 2010, I urge you to attend the NASCIO Annual Conference this fall. The investment in time and resources is well worth it. In fact, I find that I always get much more out of these NASCIO events than I put in.

If you were in Baltimore, I'd love to hear your thoughts on the NASCIO 2010 Midyear Conference.   Please leave comments below.   

Since posting a blog on the Apple iPad's effect on government standards a few weeks back, I've received several questions from around the country regarding Michigan Government's processes surrounding the enforcement of enterprise standards. This topic seems to have generated a lot of interest from readers. Here's a quick overview of some of our controls.

Almost all state and local governments have laws, policies, rules and regulations regarding purchasing various hardware and software products and developing technology standards. But enquiring minds want to know how we control purchases, enforce policies, provide guidance, and manage the product standards once they are determined. Are there any "best practices" that I can share from Michigan on policy and standards governance? Beyond credit card limits and purchasing work flow approvals, how do we manage the formal approval process for requests and get to "yes" for our business customers? When do we bend and who gives in when business areas come to us with genuine (essential) requirements and real needs - and not just wants?

 Actually, there are several helpful items I can share. After we consolidated technology into one agency eight years ago, it took us several changes to get where we are today. We hope and believe that our architecture is fairly flexible to meet a variety of circumstances, but some would argue otherwise. Our standards exception process has gone through at least three rounds of modifications over the past few years - and it has been painful at times.

As general background, you can access several relevant documents at this website which cover Michigan's Enterprise standards.  Our DTMB administrative guide lists many of our government-wide policies (see the 1300 and 1400 series policies on this page for some of the technology-related items). We are in the process of updating our technology plans and issuing a new strategic plan this summer, but the background provided in our current strategic plan from two years ago may be helpful.  

Like most governments, we have committees to pick products, evaluate requests for proposals (RFPs), and ad hoc cross-functional groups to look at all aspects of service delivery. We also have an enterprise architecture team to assist with difficult situations, refresh technology plans, offer advice, etc. These individuals and groups can offer "solution assessments" that help various agencies decide on the most appropriate solution to solve their business problem. They offer help on security controls, explain which "zone" servers need to sit in, explain what products are supported, and much much more.  

But the $6 million question is about enforcement of standards in security, technology architecture, and how do we deal with inevitable exceptions?

 All technology purchases in the state need to go through our department. We have service catalogues which describes infrastructure services and pricing from PCs and to networks. Changes to firewalls, networks, or other devices are controlled through the ordering and internal request for change (RFC) process, and this prevents unauthorized changes from occurring.

But what about stuff like the Apple iPad that's not on the list? In Michigan, we have a Technology Review Board (TRB) and an Executive Technology Review Board (ETRB) to provide oversight.  The TRB is a formal group that oversees exception requests. They deal with one-off problems and are empowered to grant temporary exceptions up to 6 -months. Longer exceptions and appeals go to the ETRB - which contains senior execs from all parts of our organization. Think of the ETRB as our technical "Supreme Court" for technology decisions, with representatives from all part of the organization (including the customer liaisons, CTO, deputy directors, CISO and others).  

Requests to the TRB (which comes first) or ETRB are made via online templates, and must contain the business case, return on investment (ROI), life cycle costs, support plans, and other relevant items.  The format and discussion is very structured and efficiency in the process is maximized. While this may seem very complex to many readers, the process works well. ETRB decisions are made on 2-3 cases in an under an hour, and the ETRB usually meets twice a month for 60 minutes or less. Emergency meetings are called when needed, and the group has even convened by phone.

The interesting thing is that quite a bit of role-reversal ends up happening amongst ETRB members. The security guys sometimes argue for business customer service and agency reps argue for security changes. The board is fair and management enforces the rulings all the way down the management chain, so everyone has skin in the game. The focus is always getting the agency business process working, and any risks identified with the technology exception is accounted for via signature by the business customer.    

Best of all, the "word" gets out to staff. Technical architectures and standards means something. If you don't follow the rules, your case will quickly get thrown out.

For example, exceptions for 6 months are reviewed in six months - and you'd better come back to the board with the system fixed or security flaw remediated. (Yes, we have an excellent "secretary function" keeping track of all exceptions and timelines for the TRB and ETRB.) Checkpoints are added to check status of changes.

The auditors love this process because it has real teeth and is based on repeatable processes. The businesses get to argue their security case, and no one (usually) ends up being the "bad guy."  Most decisions end up being unanimous now, although that wasn't true four years ago when we started the TRB/ETRB.   

Bottom line, the boards take the good, the bad and the ugly. We make lemonade out of project lemons. Our goal is to offer customer-focused answers while enforcing enterprise standards - a tough thing to do. 

 So what about that iPad you want - I mean  need? Submit your business case, and we'll take a look. Otherwise, you can fight for whatever you'd like during the next enterprise architecture technology refresh cycle.  

So what's your government's process for enforcing standards and balancing customer service? I'd love to hear other approaches.  I will also answer any follow-up questions.

Microsoft is warning that the extended support phase is ending for Windows 2000 (server and client), on July 13, 2010.  In addition, other products with lapsing service include: Windows XP Service Pack 2, Vista RTM, and Windows Server 2003.

Here's what GCN was reporting: "On Wednesday, a Microsoft lifecycle support blog post hinted at grim prospects for those who don't upgrade before that time. Simply put, the end of extended support for those products means that no more security updates will be delivered to patch vulnerabilities in those operating systems. Support articles will remain online, but just for a year.

Microsoft customers who can't upgrade when extended support ends have another option: They can request "custom support" from Microsoft, which will cost extra."

Yes, this is a big deal for many state and local governments. As anyone who suffered through the migration off of Windows NT will tell you, upgrading operating systems can become quite challenging for a long list of reasons. Applications need to be tested in the new environment, and there never seems to be enough time to get systems migrated. These projects required time, resources and priority.    

So what if you stay put? The cost is very expensive to buy continued support on Windows 2000 after July 13, according to my sources. However, if you do nothing with your Windows 2000 servers, you will open up your enterprise to numerous malware threats and other problems.

Within the state of Michigan, we still have dozens of servers on Windows 2000, and we have kicked off a project to virtualize and upgrade these boxes. No doubt, the simpler thing to do is to just get off of older hardware; however, we are utilizing a variety of tools to help upgrade the OS at the same time. This project is sure to cause some unexpected challenges.

What are your plans for Windows 2000 servers? (Feel free to go ahead and brag if you're totally off of this OS.)

 This is not your grandfather's winter games. Every Olympic city makes major investments in technology, security and infrastructure in the 21st Century, and the Vancouver Winter Games are no exception.  The Olympic Cauldron will be lit on February 12, 2010. And yet, the hard work began immediately after Canada was selected to host the 2010 Winter Olympics back in 2004.

Want some examples?

1)      Technology companies are certainly talking about their unique role in these Games.  Green technology is a central element. Check out this Canadian website on technology related to the Olympics.

2)      Stopping terrorism is essential. One article back in 2005 estimated that the security budget would be about $177 million with a 50-50 split between the federal and provincial governments, but USA Today called actual security spending to be closer to $1 billion. More than 1000 security cameras are in place for the Winter Olympics.

3)      Infrastructure development has been important. There are plenty of stories online about the people behind the scenes who make the Olympic Games happen. There are also stories about the technology being used. If you look hard enough, you'll find just about every big IT company is involved in some way. One example is Sun, but AT&T and others are right there as well.

4)      The economic development aspects and wider role of the Olympics can be seen in YouTube videos like this one.

5)      The role of the city mayors and Vancouver Government overall has been a huge part of this story.

Bottom line, this is big business. Just like the involvement of the South African Government in preparing for the 2010 World Cup in June, the Vancouver Olympic Games required an incredible investment in everything that we do in government technology every day. The difference is the scale, and the number of people watching.

So when you watch that beautiful opening or closing ceremony, when the US Hockey Team is skating to victory or those international downhill skiers fly past your TV screen, remember the technology and security infrastructure that made it all possible.   

Let the games begin...

  After a revolt over cost, timelines and a host of other difficult issues, the original "Real ID" appears dead. Secretary Napolitano testified this past week on why changes were needed to create a new "PASS ID" which will be partially funded by the federal government. PASS ID stands for "Providing for Additional Security in States' Identification Act." Washingtontechnology.com described the differences in this plan.  

Calling it "Real ID Version 2," new legislation was introduced into Congress which would modify the Real ID Act of 2005. Implementation details from the original Real ID were opposed by many Governors, the National Governor's Association and numerous privacy activists.

Here's an excerpt from a Govtech.com article describing the National Governor's Association (NGA) position on this topic: 

   The NGA said in a release that PASS ID Act recommendations supported by the NGA included:

• Reducing costs by providing greater flexibility for states to meet federal requirements by eliminating fees associated with the use of existing databases and eliminating unnecessary requirements
• Eliminating the need to develop costly new data systems that raise significant privacy and cost concerns without increasing security
• Strengthening privacy protections by requiring procedures to prevent unauthorized access or sharing of information
• Allowing states to better use existing timetables to renew compliant drivers' licenses and identification cards.

But critics of PASS ID claim that this new "scaled back Real ID" won't solve many of our driver license fraud problems. The Washington Post reported:

    "The new plan keeps elements of Real ID, such as requiring a digital photograph, signature and machine-readable features such as a bar code. States also will still need to verify applicants' identities and legal status by checking federal immigration, Social Security and State Department databases.

But it eliminates demands for new databases -- linked through a national data hub -- that would allow all states to store and cross-check such information, and a requirement that motor vehicle departments verify birth certificates with originating agencies, a bid to fight identity theft.

...'The new plan would still let people get licenses with fake documents,' said Rep. F. James Sensenbrenner Jr. (R-Wis.), who authored the 2005 legislation." 

It remains to be seen if these modifications to Real ID become law. However, with state governments in difficult budget situations, there is no doubt that PASS ID, with federal funding, is a welcome sight for most cash-strapped states. The chances are very good that a similar new approach (with some modifications) will become the driver's license standard that is implemented across America.

What are your thoughts on PASS ID?

  As our national and local economies continue to struggle, managing a technology budget is getting increasingly difficult. There are many unknowns as we head into fiscal year 2010, and state government budget problems are widespread.

 For example, Governor Schwarzenegger recently said, "I'm proud of California, even though we have our crisis. No one can point fingers, because as you can see, there are 30 states right now that have their fiscal year starting today that also don't have a budget, so I mean let's not get carried away and just look at California as we are the only state that cannot manage the budget." The Associated Press story went on to name other states who are struggling.

 Regardless of where your state or local government is at regarding an overall budget, technology leaders are being pressed to find hard savings now. In one sense, this may seem obvious. Isn't this just a central part of our job? Aren't we always on the lookout for ways to save money while being more innovative and tech savvy at the same time?

 Yes and no.  Hopefully, we can show a return on investment (ROI) on all of our technology projects. We consolidate datacenters and build partnerships and shared services to cut costs and become more efficient and effective. Nevertheless, our current economic situation is different in my opinion. This is not your traditional IT-budgeting 101. We need to go further.

Along with the fact that we have been consolidating technology and cutting costs in Michigan over the past five years, here are some of actions we are taking this summer to gain hard savings now within infrastructure - while still striving to improve customer service. Note that these activities are on top of other actions taken over the past twenty-four months such as a letter to vendors asking for a 10% reduction in costs. (Most vendors participated by the way.)

What are we doing?

1) Meeting with strategic vendors to examine every contract, maintenance agreement and platform. Asking questions like: how can we save hard dollars over the next fiscal year? Asking for options and a cost/benefit analysis for various options. Beware of short term increases in cost that will supposedly save money in the "out years." Everything should be on the table.  

  We've been pleasantly surprised by the creative alternatives that our partners have brought to the table. For example, we are working with EMC Corp to reduce the number of storage boxes, and thus maintenance costs, while still providing the same (or better) level of service.   

2)  Prioritizing existing projects to see what we must stop doing given existing resources. Many states are facing furlough days, cuts in overtime or even layoffs, so we need to be frugal.

  This project prioritization process is hard, but it is worth the effort. Despite value that we anticipated achieving over 3-5 years for several process improvement initiatives, we stopped or modified three large projects that would have cost the state almost $10 million over the next three years.  

  I will discuss how we went through this prioritization process in a future blog, but needless to say, you need a good methodology to ensure that the most essential IT projects continue. None of us wants to mortgage our government's IT future. But just as we make tough decisions in our family budget when overall income drops, these same decisions need to be made by many government technology teams now.

3)  Replaced overtime with flex schedules for many. We cut overtime by over 80%. Tougher standards were put in place to approve overtime for high-profile projects with tight schedules. Generally speaking, break/fix overtime continues for critical systems, but some non-critical systems must now wait longer to be fixed on off-hours, especially on furlough days.   

  No, this is not popular with staff. However, we emphasize the fact that we are saving precious dollars so that we can minimize any potential layoffs.

4) Continuing to examine options for contractor conversions. I discussed this topic in detail in a previous piece, so I'll just point you to that blog entry entitled: How Insourcing Jobs Can Save Dollars.

A few quick tips: some vendors will describe cost savings as "hard" when they really are "soft." For example, efficiencies that let you do more with less are nice, but you may need to layoff staff to actually save any money. Unless you actually plan to eliminate staff or contractors, the "productivity savings" are actually soft savings. (Note: it is also true that these staff can be moved to do other required functions, fill vacancies or start a new project. But again, watch the bottom line and make sure you've thought through the real savings.)

 Vendors often encourage us to spend $1 million to (hopefully) save $2 or $3 million over three or four years. The problem is that we don't have the current dollars. Make sure you can pay for any short term costs, if you agree to taking on new cost-saving projects. Finally, take this opportunity to ensure that previous cost-saving initiatives are panning out as expected.

Bottom line, we expect to save millions of dollars in the next fiscal year that we will pass along to our agency customers in the form of lower rates. In addition to hard savings, we are also capturing millions in cost avoidance (soft dollars).  I highly encourage an aggressive look at previous assumptions for usage levels across the board. Believe it or not, we may actually provide a better service when these efficiencies are put it place. I'm also learning a ton about our operational costs along the way.

What are your thoughts on saving IT dollars in tough times?