Hot or not: Congress failed to make a mark

In the past 12 months, the White House, Congress and agencies addressed a wide range of policy issues, some more successfully than others. The move to consolidate data centers and streamline financial and human resources management operations were prevalent themes in 2007, but the absence of new laws setting policy highlighted the continuing stalemate between Congress and the White House. Large agencies, including the Homeland Security Department, consolidated information technology platforms and data centers to improve security and reduce costs. Agencies were helped in their consolidation efforts by the Office of Management and Budget’s Information Technology Infrastructure Line of Business, a governmentwide initiative for standardizing infrastructure improvements to reduce costs and maintain or increase performance. Agencies spent billions of dollars on computers, data centers and telecommunications, but they lacked a federal standard against which to measure the benefits of that spending. In industry, Gartner introduced a set of general-purpose infrastructure metrics for assessing support costs, efficiency and service levels for desktop computers and help desks. In 2008, the company will develop similar metrics for mainframes and servers and telecom services. Agencies found that IT consolidation requires organizations to change their culture, said Brian Burns, deputy chief information officer at the Education Department.” Most agency business owners want to touch and feel their IT,” he said. “I tell them to let it go. It’s about measures to get performance.” Meanwhile, Education awarded a service contract with service- level agreements for all of its IT infrastructure and support. With Congress and President Bush squabbling over spending bills late into the year, federal agencies were forced to count pennies to keep the government operating. A case in point: Bush vetoed a $23 billion water resources bill, and lawmakers overturned it Nov. 5. However, the sparring didn’t end there. In mid- November, Bush signed a $459.3 billion Defense Department spending bill and then vetoed the appropriations bill for Labor, Health and Human Services, Education and related agencies because it exceeded his recommended spending cap. It looks as though another long-term continuing resolution is in the offing, meaning that 2008 would be the second consecutive year that agencies would be funded at about the 2006 level. The budget uncertainty has forced some agencies to scale back operations. For example, the Census Bureau is undergoing a pivotal rehearsal for the upcoming 2010 census. The continuing resolution provided no additional money for the bureau’s operations. With the main portion of the agency’s census dress rehearsal scheduled to begin in less than five months, planning officials trimmed as many non-IT-related tests as possible and pushed the opening of the rehearsal back by a month. The continuing resolution “made us stop and think about what we could spend on what,” said Frank Vitrano, chief of the bureau’s decennial management division. Agencies began to grasp the idea that security risk is a changing, dynamic condition that makes it difficult to use traditional security certification and accreditation procedures to comply with the Federal Information Security Management Act. The National Institute of Standards and Technology published a Risk Management Framework to help agencies deploy security controls and assess the risk to systems that support their missions. FISMA was energized by collaboration among the officials of the Office of the Director of National Intelligence, DOD and NIST who are developing a governmentwide foundation of standards and guide lines for risk management, said Ron Ross, a senior computer scientist at NIST. Ross said real-time, continuous monitoring of security controls equips agencies with an effective defense against sophisticated cyberthreats. “The threats plus the dynamic nature of the world we live in today combine to drive us toward almost real-time continuous monitoring,” he said. Real-time monitoring makes agencies aware of information security risks as hardware and software changes. The Bush administration called on Congress to transfer $115 million to the Homeland Security Department’s Einstein gateway monitoring program. OMB issued a policy mandating the program’s use. The Justice Department and Environmental Protection Agency developed applications that automate real-time, continuous monitoring. Those applications are available under the governmentwide Information Systems Security Line of Business, which offers agencies a cost-effective method to acquire tools and support for security programs. A December 2006 amendment to the Federal Rules of Civil Procedure expanded the pool of documents that organizations might be asked to produce in a lawsuit’s discovery phase. That pool now includes electronically stored information, a change that caused agencies to scramble to learn how to implement e-discovery. “There has been an enormous rise in awareness since the rules change and some of the adverse [court] rulings that have gotten people scared,” said Rachel Spector, a senior attorney at the Interior Department who helped assemble the Federal Electronic Discovery Working Group. Despite new guidance from Justice on how to handle electronic discovery, experts say agencies still are uncertain about what to do. “The reality is that you have varying levels of compliance and awareness throughout the federal government,” said Jonathan Redgrave, an attorney and editor of “The Sedona Principles: Best Practices, Recommendations and Principles for Addressing Electronic Document Production.” “The biggest problem that we’ve seen with agencies is that they don’t have the right people or haven’t done their homework to prepare before litigation,” Redgrave said. Interior learned about preparing for e-discovery the hard way. After agency lawyers were unable to produce certain electronic documents during the discovery phase of an ongoing court case, the judge called the department’s entire IT security into question. As a result, the department agreed to disconnect from the Internet in 2001, and today, several Interior components still do not have e-mail accounts. “I think the overarching lesson is beware of what you don’t know before you make representations to the court of what you can produce during the electronic discovery process,” Spector said. The contentious relationship between Congress and White House officials is to blame for a noticeable lack of new legislation in 2007. Many proposed bills and legislative updates stalled in committees, didn’t have support in both chambers or were rebuffed by the White House. Even hot topics, such as reforming procurement and inspectors general, failed to get out of the House and Senate. For example, the Inspector General Re form Act cleared the House and the Senate Homeland Security and Governmental Affairs Committee. Lawmakers are negotiating with the administration on the bill because Bush threatened to veto it as it is currently written. Other issues have simply slipped under the radar. The E-Government Act of 2002 will expire Dec. 17. The Senate waited until late November to approve a reauthorization bill.Meanwhile, the House has no similar bill. Lawmakers sent the Wired for Health Care Quality Act to committee after it failed to reach the floor for a vote. Trey Hodgkins, director of defense programs at the Information Technology Association of America, said procurement reform attracted congressional attention, particularly among members of the House Oversight and Government Reform Committee. However, reform legislation stalled because lawmakers went into wait-and-see mode for the duration of President Bush’s term, he said. “Some of these proposals could be being held because of who could become [the next] president,” Hodgkins said. “I believe we will see a different approach to these issues, given the leadership” in Congress. Agencies wrestled with several secure identity verification programs, including: Homeland Security Presidential Directive 12 for federal employees and contractors, Real ID for states, and the Transportation Worker Identification Card for port workers. No agency fully met an October deadline to issue HSPD-12 secure ID cards to employees and contractors, and many agencies might not make the next HSPD-12 deadline in 2008. Meanwhile, DHS’ Western Hemisphere Travel Initiative published its air travel rule in June. The requirement that U.S. citizens have passports for air travel across U.S. borders threw people into a panic and resulted in a huge backlog of passport applications at the State Department. Fearing further backlogs and unacceptable costs, Washington Gov. Chris Gregoire (D) announced in March that the state would pilot secure driver’s licenses that would meet WHTI’s requirements. The new IDs would also fulfill another controversy-mired DHS mandate, the Real ID Act, which requires states to issue driver’s licenses based on national standards. Washington was one of several states to test a secure driver’s license. Arizona, Vermont and New York also jumped on the bandwagon. “Agreements like this one, and the others before it, move secure identification in the right direction,” DHS Secretary Michael Chertoff said during a recent press conference announcing the Arizona pilot project. DHS also launched TWIC for all port and maritime workers, despite union complaints about the price of TWIC cards — $132.50 apiece — and the background check that must be completed before workers can get a TWIC badge. DHS expected to finish deploying TWIC to all ports of entry by September 2008. The government’s mandatory switch to IPv6 didn’t generate a lot of excitement as agencies prepared to upgrade their backbone networks to support the new protocol. In 2005, OMB told agencies that by June 30, 2008, their network backbones must be ready for IPv6, and other networks should be capable of handling the new protocol. “It’s a good news story that doesn’t have any new news,” said Casey Coleman, chief information officer at the General Services Administration. “I think that might be why it kind of dropped off the news circuit.” Coleman said agencies ve started to refresh their technology and infrastructure, and vendors are making IPv6- ready products. But IPv6 has not gained the attention of agency leaders. A Federal Computer Week survey released in August found that many agency employees don’t know about the IPv6 mandate, and many federal IT employees are unaware of the transition’s challenges. Also, at least 30 percent of the respondents who knew about the requirement were unaware of the status of their agency’s progress, the survey found. Information sharing has been a buzzword since the 2001 terrorist attacks, but federal, state and local agencies didn’t make significant progress toward sharing information until this year. John Cohen, senior adviser to the program manager for the Information Sharing Environment, said two events marked the development of sharing capabilities. First, he said, was gaining an understanding at the federal level of state and local roles and responsibilities. “That common understanding allows us to have productive discussions on how to facilitate information sharing,” Cohen said. Cohen also said the White House’s National Strategy for Information Sharing, issued in October, recognizes the role of state and local agencies. Another significant development was the agreement on a data standard, Cohen said. The National Information Exchange Model (NIEM) gained greater acceptance within the Justice and Homeland Security departments and the intelligence community. Cohen said the use of NIEM will improve data sharing because it offers standards for structuring information.