Managing Technology 2008

Get ready for tougher privacy rules, an Internet overhaul, more procurement oversight, and a focus on health data and tighter security.

Information technology spending slows because of a costly war. Personal information and sensitive data leaks become floods. Congress probes one procurement scandal after another. IT project failures mount.

Expect more of the same in 2008, plus new challenges, too. But which demand should top the list?

We asked IT managers, consultants, contractors and researchers to choose the most pressing issues for 2008. They said privacy and information security will remain high priorities. Congress will continue scrutinizing procurement practices. Health care automation will pick up steam. Deadlines will continue to shape IT agendas. Also high on the to-do list: complete the transition to high-tech ID cards and upgrade Internet infrastructures.

"Deadlines are important because [they get] everyone talking," says Ray Bjorklund, senior vice president and chief knowledge officer at the McLean, Va., market research firm Federal Sources. "This administration has started some meaningful initiatives in the area of IT management and capital investment planning and control that will have good payoff. But trying to introduce and insert these kinds of technologies in an enterprise as large as government takes a while."

Historically, government has interpreted deadlines rather loosely. They are assigned, then often pass without action, prompting little more than mild reprimands. That's changing, however, as IT initiatives converge, and one deadline directly affects the next.

"All of these [initiatives] are top priority; we wouldn't have them if they weren't," says Karen Evans, administrator of the Office of Electronic Government and Information Technology at the Office of Management and Budget. "[It's a matter of] compliance versus actually trying to achieve the results. If [agencies] only focused on compliance, [they] are going to have a hard time as these mandates loom. They are meant to build off one another."

Meeting deadlines and complying with guidelines and rules is one thing. Making IT work to improve service and performance is another. If 2007 is any indication, 2008 could find agencies straining to deliver results. Our experts offer suggestions to improve the chances that new initiatives will pay off.

Protect personal data

True story: A cleaning crew threw out documents containing data on every employee in an agency, leaving officials to hunt down the dumpster. Fact: As of October, federal agencies reported an average of 30 incidents a day in which personally identifiable information was exposed.

Safeguarding privacy-both for government workers and the public-by locking down personal information will emerge as one of the most important aspects of data security in 2008. "Privacy is so inherent that the traditional ways of measuring a security incident don't necessarily apply," says the acting chief privacy and civil liberties officer at a large civilian agency.

The fallout from a privacy breach can be far greater than for a security failure because of the potential harm to the individual. "[We're] in an era where privacy is at the forefront, [and] we don't want to put out there that we're vulnerable. We need to show we can respond when something happens; that we know what to do," says the privacy officer.

What does "knowing what to do" look like? The answer to that question lies in past laws and memorandums.

The Privacy Act, originally passed in 1974 and most recently updated by the Homeland Security Department in November 2006, requires every agency to enact rules of conduct for those working with records systems and to establish administrative, technical and physical safeguards to ensure the confidentiality of records.

OMB also released memorandums on privacy, requiring every agency to designate a senior agency official for privacy and to conduct a review of policies and processes. Beginning in July 2006, OMB required agencies to report within one hour to the U.S. Computer Emergency Readiness Team all security incidents that expose personally identifiable information. By June 2007, 40 agencies had reported almost 4,000 incidents, an average of about 14 per day. Within four months, the number had more than doubled.

To keep reported incidents to a minimum and reduce risk, agencies should ensure personal information is treated the same as all other sensitive information-especially when stored on mobile devices, security experts say. Next year would be a good time to make sure the agency is following a checklist provided by the National Institute of Standards and Technology. Tasks to tick off include encrypting all data, two-factor authentication, a time-out function requiring user reauthentication after 30 minutes of inactivity, and creating a log of all extracts from databases that hold sensitive information and ensuring that data is erased within 90 days. To prevent printing or downloading of data to a mobile storage drive, agencies can lock folders and applications containing personal information.

"Agencies have to think comprehensively about information assurance and management," Evans says. "If you consider cybersecurity but not privacy, you won't have a comprehensive program and won't be mitigating the risks."

Pressure to protect personal information is growing, especially in light of the need to shore up public trust in government. Eroding confidence could undermine and even undercut many programs, says Bruce McConnell, former OMB IT policy chief and president of Washington consulting firm Government Futures. "Our tax system assumes that most people report honestly, as do social benefit programs and even the census, [so] we don't have to spend that much on compliance," he says. "Privacy breaches undermine that trust. There's a cumulative, chilling effect that will cost us all in the long run. IT managers have a real civic responsibility in this area."

Update the Internet

By June 2008, all agencies' infrastructures must be using Internet Protocol version 6, which dramatically increases the number of available IP addresses-the unique identifiers attached to every computer on the Internet. IPv6's predecessor, IPv4, is expected to run out of addresses by 2010.

OMB still has some logistical issues to resolve, such has how to enforce the transition, whether vendors will be expected to self-certify their products for IPv6 compliance, and how to test federal IT infrastructures for compliance.

For agencies, the deadline shouldn't be too difficult to meet. Previous milestones required agencies to inventory affected hardware and software and develop risk assessments and transition plans. Now it's time to put those plans in motion. Stan Tyliszczak, senior director of technology integration in the Chief Technology Office of General Dynamics, a Falls Church, Va., systems integrator, says agencies easily are meeting the IPv6 mandate.

What will be more difficult, he says, is to take advantage of the next-generation Internet.

"Agencies need to begin looking at the application benefits they can drive out of IPv6. It's not just additional addresses." OMB should push agencies to move beyond merely complying with the infrastructure requirements, he says. For example, ask agencies to have a certain percentage of traffic migrated to IPv6 by a certain date. Evans says OMB has no plans to issue additional mandates. Without milestones that encourage complete migration, agencies might fail to take full advantage of IPv6. Many plan to use tunneling strategies that encapsulate IPv6 packets of data within IPv4 to allow two IPv6 networks to communicate through an existing IPv4 network. This is like dressing the data in a disguise to fool the network into allowing it to pass.

While that loophole might get agencies a check mark for compliance, it won't allow them to fully leverage the latest version. For example, packets of information that travel over an IPv6 network can be as large as 4 gigabytes-more than 65,000 times the limit in IPv4.

In addition, IPv6 enables self-forming ad hoc networks, where connections are established directly between wireless devices, such as laptops or handhelds, rather than first being routed through a server on the back end, says David Kriegman, president of Command Federal, a Vienna, Va., solutions provider that specializes in IPv6 transitions. This is valuable for first responders, who could connect immediately to one another at the scene of an incident and exchange information housed on their networks. A police officer could share geospatial data available through a network application with firefighters trying to gauge the scene of an accident, for example. "This year was focused on the backbone," Kriegman says. "Now, [agencies] have to view IPv6 as an enabler for doing government work better and driving missions."

Contract with care

IT contracting has received loads of attention in the past couple of years, thanks in part to some high-profile scandals, such as an accusation that General Services Administration chief Lurita Alexis Doan urged procurement staff to renew a contract with computer manufacturer Sun Microsystems Inc. despite questions about alleged fraud and overcharging.

"If you're entering into a contract for a major IT system with a high degree of risk, be careful," says a Republican staffer with the House Committee on Oversight and Government Reform. "As soon as there's a glitch, you can expect a hearing with your contracting officers. You never win when that happens, even when you're right."

Some bills Congress will consider next year could tighten the procurement leash. Most notable is H.R. 1362, the Accountability in Contracting Act, passed in the House in March and still in committee in the Senate. The bill limits the use and length of noncompetitive contracts awarded in emergencies, requires reporting of contract overcharges, tightens controls to prevent improper influence from industry, and encourages the use of fixed-price rather than time-and-materials contracts. The Senate defense authorization bill contains similar provisions. President Bush opposes the House bill in its current form and has promised to veto it.

"It's not clear whether [these proposals] would improve oversight, but they will definitely increase cost burden and risk placed upon both government and industry," says Stan Soloway, president of Professional Services Council, an Arlington, Va., contractors association.

Watch your health

The Federal Health Architecture e-government line of business requires agencies to adopt IT standards and establish a network framework that allows for the exchange of health data. The Health and Human Services Department is pushing a Nationwide Health Information Network initiative to provide an interoperable information infrastructure connecting health care providers and consumers and ensuring electronic access to health information.

In addition, Homeland Security Presidential Directive 21, issued in October, outlines a National Strategy for Public Health and Medical Preparedness through a biosurveillance system that detects threats to human health. HHS is charged with creating the networked system, which will "allow for two-way information flow between and among federal, state and local government public health authorities and clinical health care providers," according to the directive.

Agencies are feeling pressure to begin in earnest building health IT systems. "We haven't seen quantum leaps from agencies in health IT, but there are so many trains running on so many concurrent tracks that there has to be some activity," says John Slye, manager of federal industry analysis at INPUT, a Reston, Va., research firm. "Both [political] parties have made this a center issue, because it's a bread-and-butter type of area. Integrators are asking how to break in; health care organizations are trying to figure out how to make it work; and government agencies just want to comply."

Under the Federal Health Architecture initiative, OMB requires that in agency budget requests, chief information officers describe and justify health IT investments and ensure they align with and contribute to the administration's health IT plan. June 2007 marked the first time OMB evaluated Defense, Veterans Affairs, HHS and the Office of Personnel Management for health information quality and transparency as part of the President's Management Agenda quarterly score card. All four earned unsatisfactory marks in current status of implementation, but successful marks for progress.

Expect more pressure to comply. HHS is responsible for much of the upfront work, but OMB will look to other agencies to move employee medical records to digital formats and adopt standards and certified applications as they become available.

Meet security standards

In March, OMB issued a memorandum requiring all agencies that run Microsoft XP or Vista to adopt by February 2008 specific security configurations developed by NIST, Defense and DHS. The mandate, born of a 2005 Air Force initiative involving more than 450,000 desktops, is meant to make IT security easier to manage.

"Because we had all these different configurations that we allowed program offices and industry suppliers to define, the Air Force had a diverse and complicated network of PCs that was difficult to manage and change for patches, updates and upgrades," Kenneth B. Heitkamp, the Air Force's associate director for life-cycle management, said in an August interview with GovernmentVAR magazine.

Much of the effort associated with this mandate falls into the lap of industry. According to a June memo from OMB, systems integrators will be responsible for certifying that applications function correctly under the security guidelines and that operation and maintenance will not alter the configuration settings.

Still, agencies will have to review 400 security-related settings in the operating systems. Users will have to be stripped of local system administrator rights and other new restrictions could prove particularly dicey for homegrown legacy applications that are difficult to reconfigure.

"With the new operating system [Microsoft Vista], this was the right time to standardize," Evans says. "Through enterprise agreements for Microsoft products, this can be built in to life cycles as agencies adopt. But they do need to test custom applications and know the implications." Other vendors-including Apple, Sun and even Linux distributors-also are in the process of developing security guidelines and they might not be far off for applications, the Internet and development languages.

"If OMB mandates an operating system configuration, who's to say they won't mandate the Internet protocol configuration, as in IPv6? It just makes sense," Tyliszczak says. "There's no reason why every agency should have a slightly different configuration of Microsoft Word. And more standards allow for more oversight of what's on those PCs. Without them, there will always be rogue applications that sit on the network and pose a security threat."