Government Executive - Authors - Allan Holmes

Tech-Savvy Winners

Allan Holmes — Mon, 20 Sep 2010 00:00:00 -0400

The Partnership for Public Service handed out its top honor to federal employees on Wednesday, awarding eight individuals with its Samuel J. Heyman Service to America Medals.

Check out the the winners, and the descriptions for why they won. What jumps out at me is that many of the recipients relied on information technology to do some heavy lifting. At least half rely on IT to advance the delivery of services, and the others, it sounds like, relied on complicated computer models and programs to munch some heavy-duty numbers. Here are four:

--Shane Kelley, director of the Center for Automation, and Eva Ristow, project manager, both work at the Social Security Administration, won for improving the delivery of benefits to citizens living in impoverished and remote locations by using a two-way video service.

--Sandy Brooks, deputy director of intelligence and security and chief of innovation and technology, received recognition for amassing information and sharing it with military, law enforcement and homeland security agencies to stop semi-submersibles carrying drugs and possibly terrorists.

--FBI Intelligence Analyst Jamie Konstas helped stem sexual exploitation of children by helping build "a groundbreaking national online database that allows federal, state and local law enforcement officials to access detailed information about pimps and child victims."

--Teri Glass, the Army's acting project manager at the Medical Support Systems Project Management Office, developed a state-of-the-art medical evacuation kit for transporting severely wounded soldiers.

Wired Workplace is a daily look at issues facing the federal information technology workforce. It is written by former Government Executive reporter Brittany Ballenstedt, with a guest entry this week from Nextgov Executive Editor Allan Holmes, and published on Nextgov.com. Click here to read the latest entries.

]]>

Techies Want Flexibility

Allan Holmes — Mon, 13 Sep 2010 00:00:00 -0400

Technology jobs continue to be in high demand, which has fueled an increase in higher salaries and signing bonuses, according to Dice.com, a website that posts technology and engineering jobs. But in its September jobs report, it notes another (surprising) demand from technology job seekers that the federal government may want to take note of: a request for more flexible work schedules, including telework.

That's an unusual request from technology job seekers, Dice says. But it's been climbing up the list of incentives being offered to new hires, reaching No. 3, with 9 percent of companies offering a telework option. "Technology jobs with a telecommuting option have doubled on the Dice site year [over] year," the company's newsletter states. "Still, they remain less than one percent of the total jobs available."

Flexible work options remains, however, well below the enticements of a higher salary (42 percent of companies have offered that as a sweetener to take a job) and a signing bonus (22 percent).

The trend for flexible work options would likely come as no surprise to the federal CIO Council. In its recent report on IT workers, Net Generation, the council strongly urged agencies to offer flexible work hours, including telework, to convince young candidates to apply for federal information technology jobs -- the vacancies for which will be increasing sharply in the near future, it warned.

]]>

Pulling Back the Veil

Allan Holmes — Wed, 01 Sep 2010 00:00:00 -0400

Craig Newmark of Craigslist champions efforts to get the word out on transparency.

The Obama administration's open government initiative is discussed regularly in some circles inside the Beltway, but travel just a few miles west and it's rarely, if ever, a topic of conversation.

That's unfortunate, says Craig Newmark, creator of the online classifieds site Craigslist.org and a champion of transparency. That was his message in July at the Aspen Institute's Ideas Festival, where experts in politics, science, arts and other fields discussed big trends.

On a panel with federal Chief Information Officer Vivek Kundra addressing transparency, the Craigslist founder lamented that the White House's open government initiative hasn't received much attention. This is a strange outcome given that "a lot of things are being made to work in Washington" because the Obama administration has pushed making more public data accessible, Newmark said.

Since President Obama took office, Newmark has spent a lot of time in Washington meeting with agency officials and Capitol Hill staffers to talk about transparency. He works with nonprofits and watchdog groups, for example sitting on the board of the Iraq and Afghanistan Veterans of America and providing advice on how to use the Internet. He also is on the board of the Sunlight Foundation, an open government advocacy group in Washington.

Newmark insists progress is being made in transparency, although not at the pace some would like.

Newmark recently talked with Nextgov Executive Editor Allan Holmes about the open government initiative and his next big project, the Immune System of Democracy. Following are edited excerpts.

Getting the word out about the Obama administration's transparency initiative:

Right now with Recovery.gov and a whole bunch of related efforts, for the most part the mainstream media has just ignored it. There's lots of good stuff. It's far from perfect, but I saw a report earlier that mentions flaws in the IT Dashboard, [a website the White House created to disclose agency spending on technology projects]. But they keep missing the point that it's a tremendous reversal from prior years. For example, in prior years, any kind of evidence was hidden. Now this administration is telling the public what is going on and the mainstream media doesn't talk about that.

Consistently, the good stuff going on is either not reported, or it is praised with faint damnation. That's a phrase most people may not get, so I'll say, if something is mentioned at all, which is rare, it's mentioned in a way to undermine it.

On the other hand, we will see people quoted in the press who are, let's say, not being honest about things, criticizing good things happening, and then they are never fact checked. What's frustrating for a guy like me is that I speak a lot to the reporters who do this and they know they have someone on the air or they're quoting someone, and know they are repeating something that is not true and they keep doing it.

How the Immune System for Democracy initiative relates to transparency:

For a democracy to survive it needs a relatively informed citizenry. Historically in any republic, starting with the Romans, it's only a small minority of people who get involved. Most people just want things to work. Like me: I'm a couch potato. But the deal is this decade in human history is too important for you to stay on the couch.

People need trustworthy information to know whom to vote for and issues to deal with. Traditionally in the United States, the press, the mainstream media, fulfilled the role of providing information to people and beyond that to keep politicians honest. The press has always had some sort of success with that.

There are a lot of price pressures on media. And you read reports and you see people trust the media less and less. Nevertheless, the press continues to provide a really valuable function when they do things like fact checking and maintaining a high standard relative to journalistic ethics.

In addition to traditional journalism, I'm seeing an informal network of fact checkers evolving. You may have heard a lot about FactCheck.org, and now we've got PolitiFact.com coming on board doing a pretty good job. Maybe some things you can question, but it's a really good start.

Meanwhile, we have the Center for Media and Democracy, which is exposing disinformation gangs. These are lobbyist types who deliberately deceive people. And the references there are SourceWatch and PR Watch.org. And there's always the Sunlight Foundation, which does a great job, and groups loosely connected like Consumer Reports and AARP.

Whenever I talk about this, there seems to be a tremendous hunger for the restoration of fact checking because people want to see news that they trust. That seems to be very true among millennials.

The role that technology, social media and government transparency play in providing trustworthy information:

The Net doesn't change what people do, but it allows more people to connect and do more of it together.

People in the grass roots can work together with the professionals to do some good stuff and make it much more visible. And the Net, too, is good for research because people can put stuff online that others can find. If lots more people from the grass roots can be involved, what might have been a casual observation in the newspaper, which comes one day and leaves the next, could be an issue that has legs.

The Immune System also means that if a disinformation gang tries to create a falsehood and spread it, it's possible that people of good will could replace that with a more positive and constructive message that tells the truth.

I have spoken about this as it relates to transparency and accountability. I'm speaking to a lot of people on the Hill on both sides of the aisle. People there don't mind a fight. In fact they kind of like it, but the deal is they want to do it fairly, and they want to do it in a more civil atmosphere.

If you are 30 years old and looking forward to a long career, you don't want to spend another 30 or 40 years in a toxic atmosphere. It's better than open warfare, like that which used to happen in the past, but still it's not fun and it's taking a lot out of people. Meanwhile, even among groups that have good will, doing a lot of good work for people, they're being attacked by disinformation gangs, and there are a lot of people talking about what to do about this.

Criticism that government isn't serious about transparency and agencies can improve the way they engage with the public:

That is more of a failure of reporting, because I have spoken to a lot of people at a lot of agencies and they are very interested in it, and they are trying to change their internal cultures. That would be difficult in any period in modern U.S. history, but it is even worse now because prior to the last couple of years people in agencies were told, "Government is the problem," and in terms of their jobs, "Don't bother."

And that's problematic when you tell that to people who work in financial regulation or in the Minerals Management Service. There are a lot of great people at a lot of great agencies who are getting this stuff done, but they are turning around a battleship that almost ran aground. The idea is the people doing this work need to be recognized. Again, a lot of good people are turning the battleship around and let's give them some credit. I bear witness to what they are doing, and I go out of my way to bear witness for what they are doing instead of undermining them.

Engaging citizens more through online communities:

People at the Federal Webmasters Council are working on that. There's progress in that direction. There are federal laws and regulations that slow that down and they are trying to fix that, but it's a long, hard slog.

How transparent and open government needs to be:

A government needs to tell people what is going on and disclose everything except that which would be stupid to disclose. You don't disclose how to build a nuclear weapon. You don't disclose personal information. That is just common sense. The deal is you need to do this to provide the best return on the taxpayer dollar.

]]>

Got a Deficit? Outsource IT Jobs

Allan Holmes — Mon, 30 Aug 2010 00:00:00 -0400

Could what is happening in West Virginia (and other states already) be an omen for what could happen for federal information technology workers?

About 35 West Virginia IT workers marched on Gov. Joe Manchin's office on Tuesday demanding he not outsource their positions to a private company as a means to save money. From The Charleston Gazette:

Earlier this month, chief technology officer Kyle Schafer told legislators that any talk of outsourcing the information-technology jobs is "extremely preliminary." He said outsourcing is only one possible option to cut the state's $35 million annual spending for IT services, with in-house consolidation also a possibility.

Outsourcing, some protestors said, isn't working too well in other states that have done it:

Several speakers Tuesday called on Minchin to heed the experiences of states such as Indiana and Texas, where similar attempts to outsource IT operations have been fraught with service glitches and failures, and sizable cost overruns.

Two Takes on the Pay Debate

Allan Holmes — Mon, 16 Aug 2010 00:00:00 -0400

Thompson posted edited excerpts from two interviews with researchers who have looked into this difference, one with Christian Weller, a senior fellow at the liberal Center for American Progress, and another with Andrew Biggs, a scholar with the conservative American Enterprise Institute. Guess what. They disagree.

I encourage you to read both interviews but here are a couple take aways from each.

On why shouldn't federal workers get paid more, after all, they work on some pretty important and complicated stuff, Thompson points out:

In general, the pay premium is very large for low skilled workers, and small or negative for highly skilled workers, like your SEC regulators. But most people don't have MDs or PhDs. Up through a Masters, you'll find on average that people make more in the federal government, especially at the low end with folks like paper clerks. From Weller on why there's so much confusion on this issue:

The people who make that argument [that federal workers make more than private sector workers] often simply compare average wages. That's wrong because the public sector has substantially more degrees than the private sector. Wired Workplace is a daily look at issues facing the federal information technology workforce. It is written by former Government Executive reporter Brittany Ballenstedt, with a guest entry this week from Nextgov Executive Editor Allan Holmes, and published on Nextgov.com. Click here to read the latest entries.

]]>

From Nextgov.com: Craigslist creator tries to bring transparency initiative out of the shadows

Allan Holmes — Thu, 29 Jul 2010 00:00:00 -0400

Read the full story on Nextgov.com.

]]>

From Nextgov.com: Agencies urged to change workplace practices to attract young workers

Allan Holmes — Fri, 23 Apr 2010 00:00:00 -0400

Agencies face a daunting task of recruiting and retaining young workers to fill computer-related positions as older technology specialists retire, a trend that requires managers to drastically change long-established bureaucratic work environments and traditions, according to a recent report by the federal Chief Information Officers Council.

Read the full story on Nextgov.com

]]>

Workers' View of Security? It's Scarier

Allan Holmes — Mon, 19 Apr 2010 00:00:00 -0400

When it comes to cybersecurity, lower level government employees are far more worried about the porous nature of federal networks than top executives, according to a survey released on Wednesday. The differences are stark, wide ranging and most prominent in departments that handle some of the most sensitive data.

In a survey of 320 federal information technology employees funded by the security firm CA, the Ponemon Institute, an independent privacy and security research firm, found that lower level workers were more concerned than their bosses about:

their agencies' ability to withstand cyberattacks or to comply with the Federal Information Security Management Act;
controlling who has access to sensitive files;
providing security training;
the number of possible threats and the risks they present;
the inability of deployed security solutions working; and
the need for security tools like identity management, firewalls, and antivirus and antimalware apps.

These findings have some serious implications. First, those who work on the computer systems -- the mechanics, as it were - are the ones who know the honest state of cybersecurity I the government. They know what's really going on, and they are sounding a louder alarm bell than their superiors. Second, without leaders who are more tuned in to what troubles federal security, how can we expect them to set the necessary priorities to fix them? We can't.

Finally, the Ponemon survey reported another troubling finding: The departments that have the biggest discrepancies between what line workers and executives think about cybersecurity are those very agencies that work with the most sensitive data: the Defense, Homeland Security, and Health and Human Services departments.

Wired Workplace is a daily look at issues facing the federal information technology workforce. It is written by former Government Executive reporter Brittany Ballenstedt and published on Nextgov.com. Click here to read the latest entries.

]]>

From Nextgov.com: Advice for Obama's chief technology officer

Allan Holmes — Thu, 11 Dec 2008 00:00:00 -0500

Nextgov sat down with Norm Lorentz, the first -- and only -- federal chief technology officer.

Read edited excerpts from the interview on Nextgov.com.

]]>

IT to get more attention in approval process for political appointees

Allan Holmes — Tue, 25 Nov 2008 00:00:00 -0500

The Government Accountability Office released a report on Monday outlining management problems at the largest federal agencies, including shortcomings in acquisition, an inability to collaborate, poor financial practices, shortages of skilled employees, and failure to develop IT projects that perform as planned and improve public services.

The report, which is an update to one released in 2000 before the Bush administration took over, identifies the major issues 28 agencies face for senators in charge of confirming political appointees in an Obama administration. GAO suggested questions the senators can ask nominees to determine whether they have the skills to solve those problems.

"Building and developing the institutional capacity to meet these challenges will require appointing the right people to the right positions," GAO wrote in the cover letter to the report. "It is vitally important that leadership and management skills, abilities and experience be among the key criteria the new president uses to select his leadership teams in the agencies."

The letter was addressed to Sen. George Voinovich, R-Ohio, ranking member on the subcommittee on Oversight of Government Management, the Federal Workforce and the District of Columbia.

In a show of how IT has become more central to government operations, the number of questions GAO suggested senators ask when interviewing nominees increased from only three in the 2000 report to 26 questions in the 2008 report. New topics include how a nominee would strengthen IT project management, use IT to improve health care, tighten cybersecurity and protect privacy, and use IT to give the public access to government documents. Some examples of the questions include:

Ensuring that system programs and projects are effectively planned and managed can be challenging. Describe the experience you have had that will help you to ensure that key capabilities and controls are implemented to increase project success.
What qualifications and experiences do you bring relative to leveraging enterprise architecture to facilitate organizational transformation?
How does your experience prepare you for overseeing privacy practices and ensuring that they are adequate?
What do you see as the greatest information security challenges facing your agency? What experience or knowledge of information security do you have that you could use to help address your agency's challenges?

The watchdog agency listed specific IT management problems, including the Agriculture Department's modernization system. GAO recommended asking a political nominee for a position with Agriculture, "Have you ever taken an organization through information systems modernization? How close were the cost and completion estimates to the actual numbers when all systems were operational?"

The report also cited the Census Bureau's troubled handheld computer contract to support the 2010 decennial census. GAO suggested that senators ask Commerce Department nominees, "What experience, if any, do you have that prepares you to deal with such technical management concerns?"

]]>

Philadelphia-based consultant buys McConnell International

Allan Holmes — Tue, 14 Oct 2008 00:00:00 -0400

Clinton Rubin LLC bought McConnell International, which advises companies on how to win federal business, for an undisclosed sum in a move to enter the stable and lucrative government market. Most economists believe the nation is entering a recession brought about by the upheaval in the financial industry.

"This is a great market in pretty tumultuous times," said Brad King, who joined Clinton Rubin in September and will become president of McConnell International. King was chief executive officer of Serco Group Inc., an outsourcing services company with contracts with national and local governments in the United States and Canada.

Bruce McConnell, who founded McConnell International in 2000 after leaving OMB, said he sold the firm to focus more on working in the field of collaborative technologies and cybersecurity. "I felt like I wanted to do other things," he said.

McConnell said he plans to consult with clients on how government can use new tools to work together and how those technologies may affect the operations and organization of government in the future. McConnell's other venture, Government Futures, which relies on predictive market theory to provide insight into future outcomes in government operations, is not part of the deal.

Clinton Rubin does not plan not to make immediate changes to McConnell International. King said, however, he does plan to add analytic services to the firm's offerings. For example, McConnell International may take on some of what King called the "thornier issues that the industry is dealing with." For instance, the firm might study how the government will approach the economic rescue plan Congress recently passed to unearth federal opportunities not readily apparent to most companies, King said.

McConnell left government after directing the International Y2K Cooperation Center, which was established under the auspices of the United Nations and World Bank. The center coordinated the work of more than 170 governments, private firms and organizations in a global human and electronic network that worked on solutions to fix computers for the Y2K bug.

]]>

Time for Tech

Allan Holmes — Mon, 15 Sep 2008 00:00:00 -0400

What's in store for federal IT during a period of transition.

For the federal information technology community, the past two years have been some of the leanest and most uneventful in recent memory. IT budgets have not kept up with inflation and agencies have announced few innovative projects.

But in 2009, government just might see its technology engine rev up, or at least shift out of neutral, once again.

That's the message in this package of stories for the Technology Outlook issue, brought to you by Nextgov.com, Government Executive's online sister publication, which covers the government tech world. The dawn of a new administration in January brings the potential for a boost in IT projects, according to federal and industry IT professionals who participated in a roundtable discussion sponsored by the Association for Federal Information Resources Management. These chief information officers, researchers and executives agreed that the new administration will have a unique opportunity to elevate technology to a central role in a management plan for government. The chances look good, the group said, given the enthusiastic embrace of online campaigning this election year.

New presidents can bring big changes-and Barack Obama and John McCain frequently and repeatedly remind voters they will-making the outlook uncertain for some existing IT initiatives. But it's likely that quite a few programs will live on, regardless of who is in the White House, writes Carolyn Duffy Marsan in her piece on sure IT bets for 2009. Look for the next administration to continue President Bush's effort to consolidate systems and services, and to secure networks against cyberattacks. Other likely initiatives include expanding electronic government and investing in technology that uses less energy. These are ideas that rise above politics. It's hard for any Republican or Democrat to be against saving money, improving services or tightening national security.

Nevertheless, money will remain an issue for many agencies, as the Defense Department tells us. IT budgets for the military services are flat and will remain so, leaving technology managers looking for ways to save money. That might include moving away from managed services, one of the hot IT trends of the 1990s, in which agencies outsource the day-to-day management of an entire network to a contractor. Instead, the Defense Information Systems Agency plans to develop plug-and-play services for its users in hope of providing better capability for less money. This could signal a trend to move more IT operations back in-house.

Of course, talk of a new president inevitably leads to discussions about leadership. For technology, it is no different. So, Nextgov sat down with Kenneth Ruscio, president of Washington and Lee University, who has written extensively on the subject, to talk about what constitutes leadership and how IT is influencing leaders. The interview is part of a package of online features that make up our Technology Outlook report. We invite you to visit www.nextgov.com/techoutlook to check them out and to read the entire special report to learn what IT plans to make for the coming year.

]]>

Census program to use handheld computers said to be in ‘serious trouble’

Allan Holmes — Wed, 02 Jan 2008 00:00:00 -0500

The bureau plans to issue more than 500,000 handhelds to temporary employees to collect personal data on Americans who do not return census forms in the mail. The handhelds are being developed under a $600 million contract awarded to Harris Corp. in 2006.

But Mitre Corp. officials who met with Jay Waite, deputy director of the Census Bureau, said the agency has experienced so many delays and cost overruns in developing the handhelds that it should immediately develop a contingency plan to use paper forms.

Mitre, which the bureau hired in 2004 to periodically advise it on information technology programs it is developing for the 2010 census, met with Waite Nov. 29, 2007, at Census Bureau headquarters in Suitland, Md., to discuss the progress of the handheld computer contract, called the Field Data Collection Automation contract.

Mitre officials told Waite that "FDCA is in serious trouble," according to a talking points document Mitre prepared for the meeting that Government Executive obtained. "It is not clear that the system will meet Census' operational needs and quality goals. The final cost [of the contract] is unpredictable. Immediate, significant changes are required to rescue the program. However, the risks are so large considering the available time that we recommend immediate development of contingency plans to revert to paper operations."

The Mitre document heightens already serious concerns about the bureau's preparations for the 2010 census. In reports over the past couple of years, the Government Accountability Office has warned Census officials about the consequences of falling behind schedule in developing the handheld computers and has questioned efforts to manage the project's risks.

The Mitre document addressed the more grave scenario that the handhelds will not work as planned. It indicated that the bureau now has reached a point at which it cannot develop all its requirements for the handhelds in time for the 2010 census -- even if it could increase the program's funding. "Money cannot trump time remaining," the document stated.

"This is extremely strong language that cannot be ignored," said Robert Charette, a risk management expert who consults with federal agencies. "The document lays out that [the Census Bureau has] run out of time. It would be professionally foolish not to have a contingency plan in place to meet [Mitre's] concerns and the resources allocated to make that happen."

Census officials said via e-mail that they "have no plans to revert to paper. Also, at this stage of the decade, such a major change in plans for key operations would pose its own set of significant challenges and risks."

They acknowledged that managing the handheld computer contract presents "significant challenges," and said they are monitoring and reviewing "all aspects of the contract in order to ensure a successful census."

The problems Mitre cited in its document included "significant" inconsistencies between the bureau and Harris about when certain deliverables for the handhelds were due. It also noted that requirements for the program had not been fulfilled, and questioned whether remaining requirements could be completed in time. Mitre also claimed the FDCA program "lacks a leader with the experience, stature and passion to make FDCA successful," adding the "Census Bureau has a lack of personnel with large-scale IT program management experience."

Mitre officials could not be reached for comment.

David Powner, director of IT management issues at GAO who has been auditing IT systems the bureau is developing for the 2010 census, said he had seen the Mitre document and agreed with its conclusions. He noted that GAO has warned Census that it had not clearly defined its requirements or developed a defined test schedule, including setting up a trial to test data collection and processing using the handhelds from end to end.

"There's not a real solid plan for what is going to be tested when in the 2009 and 2010 time frame," he said.

But Powner said GAO was not ready to advise the agency that it should consider going back to a paper and pencil method. "Clearly, you want to have contingency plans," he said. "That's not a surprise. But recommending a complete paper census? I do not know that we're there yet."

Mitre recommended the bureau work with Harris to create a baseline of what it can accomplish before the 2010 census to determine the full requirements for the handheld computers and their cost. The document also recommended that Census appoint a manager to "ruthlessly implement" the program's schedule, complete a plan to test the system from end to end (and not squeeze the schedule to save time and money); and streamline bureau management reviews of the contract.

If the Census Bureau cannot use the handheld computers, it is unclear how much more the 2010 census would cost. Its budget is now estimated at about $12 billion. In 2001, when Waite first conceived the idea of using handheld computers, the bureau argued that they would save billions of dollars that otherwise would be spent on printing, storing and transporting millions of maps and hundreds of millions of census forms. (See "On the Brink," Government Executive, July 15, 2007.)

]]>

What's Brewin: Valid Excuses?

Allan Holmes — Mon, 24 Sep 2007 00:00:00 -0400

Editor's note: Regular columnist Bob Brewin is on vacation. The next column will appear Tuesday, Oct. 9.

Yeah, This Is Hard Stuff

It's rather common for the top information technology executives in government to tell Congress that the reason their IT projects are so far behind schedule and over budget is because of the projects' complexity. It's also common for members of Congress and the public to respond, "Yeah, right. Tell me another one."

That seemed to be what was happening last week at a hearing of the Senate Veterans' Affairs Committee. Robert Howard, assistant secretary for IT at the Veterans Affairs Department, took some heat for saying that it will probably be years before a system to share electronic health records with the Defense Department will be complete (mostly because of the tedious process of determining technology standards and policies on nomenclature). Same old, same old, right?

Wait. Also testifying was John Glaser, the chief information officer at Partners Healthcare in Boston, which is considered one of the leading health care facilities in using technology. This is what he told the senators:

"It is very, very difficult to exchange data. As you discuss progress, as it goes on here, we ought to be mindful of the extraordinary difficulty here, both technically, [with] policy procedures, privacy . . . and while making sure we have a good game plan and accountability, that we appreciate it will take several years to effect and effect well, certainly to the degree that we would like to see it [with] broad operability. So, let's appreciate the challenges that confront those that make those organizations happen."

No senator responded.

VA's Big Security Numbers

Ever since the VA disclosed in May 2006 that a laptop was stolen from an employee's house, security has been at the top of executives' agenda. At the hearing, Howard gave some details on progress in tightening the department's information security strings:

More than 18,000 laptops have been encrypted. (No word on what percentage that number represents of all VA laptops.)
The department is in the process of procuring software to encrypt data stored in databases.
The agency has transferred almost 6,000 employees to its Office of Information and Technology.
VA has completed tests of 10,000 security controls on 603 computer systems.

Highly and Deeply Concerned Over Army IT

You don't have to read too far into the Senate report that accompanies the Defense Department's fiscal 2008 appropriations bill to learn that senators are a bit concerned about the Army's IT management prowess.

For example, in the report's discussions of four consecutive Army IT programs, you learn that the committee is "highly concerned," "is concerned about this program delay," "denies the requested funding for," "is deeply concerned" and finds "an exponential growth in requirements" for an IT program "particularly troubling."

Such hand-wringing led the committee to deny the Army's request to triple the funding for the Warfighter Information Network -- Tactical (WIN-T) program. The committee increased funding for the WIN-T program by only $100 million to $737.9 million. The committee denied the Army's request for $56 million for the third component of the Excalibur Precision Guided Extended Range Artillery Projectile because the Army had yet to develop an acquisition strategy.

Who says the military services get everything they want?

Well, there is the General Fund Enterprise Business System (GFEBS), a commercial-off-the-shelf Web-based enterprise resource planning system that will allow the Army to share resource management data across the organization. Although the Army's fiscal 2008 budget request "differs substantially" from the original request and from a briefing the Army gave the Senate earlier this year -- all of which the committee noted indicates "no . . . stability in the GFEBS program" -- the appropriations committee, "faced with a lack of alternatives," according to the report, reluctantly agreed to more than double the budget to $122.7 million.

The committee, however, does want the Army to submit updates that "include the program's requirements, schedule, status of deliverables, contractor performance and execution of resources not less than every 60 days."

]]>

On the Brink

Allan Holmes — Sun, 15 Jul 2007 00:00:00 -0400

The success of the 2010 census hangs on a risky switch to handheld computers.

The risky idea for changing the way the Census Bureau gathers the most consequential data about every American sprang from the mind of one man: Jay Waite.

In 2001, shortly after the bureau had cleaned up after the 2000 census, Waite, then head of the decennial census program, was convinced the bureau had to alter the way it conducted the 2010 count. The cost of the 2000 census had topped $6.5 billion, doubling from 1990, after adjusting for inflation. Initial estimates predicted the 2010 count would nearly double that, to $11.3 billion. The 2000 census also had come under sharp political criticism, with Democrats, local government officials and minority groups claiming it had undercounted minorities and low-income families.

It didn't take long for Waite to come up with an answer: use handheld computers to replace the paper-and-pencil method of collecting data from Americans who have not sent in their forms and move the costly and cumbersome long form, which has more than 40 questions, to another census survey program. "This idea, as it were, of going to automation and handhelds came out of my brain," he says.

He surprised himself. Waite describes himself as a farm boy and Luddite. But he says his transformation occurred during the 2000 census as he heard "more and more talk about cell phones and handheld devices. We tied our horse to that fact, and I bet that the technology would come to me."

Six years later, the bureau is poised to give handheld computers to the 525,000 enumerators it will hire to go door-to-door collecting information from the estimated 108 million Americans who will fail to send in 2010 census forms. The plan represents "the biggest move in a decennial census in our lifetimes," boasts Waite, who was promoted this year to deputy director, the No. 2 position at the bureau. "It is a huge change."

Waite's bet on technology to support a huge business-process change sends shivers down the spines of risk management experts. With so much riding on the outcome of the census (the data is used to reapportion seats in the House of Representatives and state legislatures, to plan state roads and highways, to build schools, to market goods and open businesses, among other things), experts say the decision to move to handhelds should have been supported by a full-scale analysis called enterprise risk management.

The Office of Management and Budget and the Government Accountability Office have strongly advised agencies to include risk management as a key element when undertaking new projects-especially huge ones. Enterprise risk management is relatively new. It expands the theories of project risk management to the entire enterprise, analyzing how a change or investment in a new technology might affect each business unit. It starts out, however, by questioning the reason for change in the first place. "The fundamental question to ask is not 'What's the problem you want to fix?' It's 'What do you want to accomplish?' " says Bill Sharon, chief executive officer of the consulting firm Strategic Operational Risk Management Solutions. "We are all very adept at describing what is wrong, but it takes a greater effort to figure out what is it that we want to go right."

That's where the Census Bureau has fallen short, a failure that cascades risk throughout the bureau, experts say. The decision to use handhelds is a classic case of an agency failing to incorporate enterprise risk management. As a result, the bureau has put the census at a much higher risk for failure. Already, problems are cropping up, for example, a five- to tenfold increase in the handheld contract requirements, cost overruns and lack of an overall recovery plan should the handhelds suffer interruptions of service or, worse, fail altogether.

"All this borders on professional IT malpractice-if not malfeasance," says Robert Charette, director of the enterprise risk management and governance practice of the Cutter Consortium in Arlington, Mass. "The handheld project is an IT blunder-not a failure-in the making. A failure is when you do all the things you should, but things still go off the rails. A blunder is when you don't do the things you know you should, many times because of hubris, and things go off the rails, predictably," says Charette.

Unintended Consequences

Because of congressional attention to project costs, when agencies consider risk, they tend to focus on potential budget overruns and deadline slippage. For that reason, agencies work hard to manage requirements risks, especially for information technology projects. They home in on only those requirements designed to meet performance goals for systems. Recently, security risks also have appeared on agency radar screens, thanks to media attention to identity theft from federal IT systems.

Such a narrow focus would not fly in the private sector, whose regulatory organizations have recognized the importance of enterprise risk management. The Basel II Accord, a set of guidelines for measuring bank risks put together by the Group of 10 countries, includes operational risks to the enterprise. As of the end of last year, the accord required financial services companies to carry enough capital to offset the companywide level of risk, which includes IT systems. The Treadway Commission's Committee of Sponsoring Organizations, a private sector organization formed in 1985 to combat fraudulent financial reporting, has an enterprise risk management framework that includes IT risks. And the Control Objective for Information and Related Technology also advises organizations to set up an enterprise risk management framework.

That means executives should manage risk across the enterprise, not just in silos. Changes to processes in the human resources department can affect, unintentionally, the business processes in the finance department. Likewise, changes to, say, business processes in the IT department can unintentionally affect manufacturing and thus the quality of the company's products. In the case of the Census Bureau, deploying technology to change the way the census is conducted can have numerous unintended consequences across the operation. To begin analyzing those risks, management experts suggest that organizations first must ask whether the investment in the change improves the organization's ability to meet its mission.

The agency should ask, "What do you want to accomplish?" says Sharon.

But that's not what happened at the Census Bureau.

A Solution Looking For a Problem

The bureau first formally presented its argument for using handhelds in June 2001, in a 10-page report titled "Potential Life Cycle Savings for the 2010 Census." Compiled by top managers, it lays out the plan to use handheld devices linked to the Global Positioning System to collect more accurate data on new housing units-GPS signals would provide better location information. The plan also called for administering the long form during the annual American Community Survey rather than the decennial census, to boost response rates and to reduce enumerators' workload. Using handhelds would eliminate the cost of printing, storing and moving the 20 million maps and 400 million census forms the bureau used in 2000. These costs soak up about two-thirds of the total cost of the decennial census, or about $4.3 billion of the $6.5 billion total in 2000.

The handhelds also would reduce the number of households that enumerators would need to visit, according to the report. In 2000, 4 percent of households visited already had sent in forms, but too late for the bureau to inform enumerators. Handhelds would be updated throughout the day about forms received, saving the bureau about $135 million, according to GAO estimates. Other savings would come from reduced mileage costs (5 percent per case) and increased productivity (5 percent). In all, the Census Bureau calculated it would save $2.9 billion by using handhelds instead of the pencil-and-paper method used in 2000. The bureau estimated the cost of the redesign to be $2.4 billion, bringing net savings to $445 million.

The report was presented to the National Academies of Science; top executives at the bureau's parent organization, the Commerce Department; and GAO. Waite says they all supported the bureau's approach.

But the report fails to address how moving to handhelds will improve the mission performance, says risk management expert Sharon. "From a risk perspective, you don't start with money," he says. "You start with the vision." The report gives passing reference to how the redesign will provide more accurate data-a key criticism leveled by advocacy groups and Congress during the 2000 census. "The 2010 census will be armed with a far more comprehensive, timely and accurate address list-one of the best predictors of a successful census-without the added complexity, risk, end-of-the-decade costs and last-minute address-building costs," according to the report.

But Sharon says a vision requires much more. It requires calling together operational managers from every line of business to advise on what needs to be accomplished and what must be done to accomplish it. In the census' case, what's the best way to count every American, as required by the Constitution, while avoiding the political fallout the bureau suffered in 2000? Only after developing several options should an organization begin pricing them. If the best option is a budget buster, managers must move to No. 2 or No. 3, Sharon says.

Other options could have included relying on the Internet, telephones or some other approach that might not use technology, such as better marketing techniques. (The Census Bureau says that years after issuing the life-cycle savings report, it tested the use of the Internet, but concluded that the online approach didn't appreciably increase the response rate. Census thus contended that the cost of developing an Internet program would be too high. As of last year, Congress insisted that the Census Bureau should be pursuing an Internet option using the IRS' electronic tax filing program as a model.)

'Handhelds Are the Keystone'

Armed with a document outlining $445 million in savings from adopting handhelds for 2010, the bureau began figuring out how to obtain the devices. After giving up on the idea that its IT shop could modify a commercial personal digital assistant, the bureau issued in January 2005 a request for industry bids. In March 2006, the bureau awarded the $600 million Field Data Collection Automation contract to develop and manufacture the devices to Harris Corp., a telecommunications company based in Melbourne, Fla., with experience supplying the Defense Department and law enforcement agencies with tactical radios. Losing bidders included Northrop Grumman and General Dynamics.

But just weeks before the award, GAO criticized the bureau's risk management strategy. In March 2006 testimony before the House Subcommittee on Federalism and the Census, David Powner, director of information technology management issues at GAO, said the bureau had identified some high-level risks and drafted a risk mitigation strategy. But, he added, "the FDCA project office has not yet revisited or analyzed the identified risks, begun prioritizing and tracking project risks, or documented risk mitigation plans. Until the team implements an effective risk management process, it will lack a mechanism to address known and unknown problems."

When Powner audits an agency's risk management strategy, he reviews performance of five tasks:

A list of all known risks. "The biggest red flag is if we don't see 20 or 25 risks listed," Powner says.
A scale on which risks are ranked. The scale can be from low to medium to high risk, or from 1 to 5. It doesn't matter, just so they are ranked.
Aggressive mitigation. The highest rated risks are given to owners to mitigate, with a specific time frame. "When we go into the FDCA program office, we want to see activity that shows they are all over these risks," Powner says.
Informed top executives. Project managers should inform executives of the highest risks and what action is needed from leaders to mitigate them.
Aggressive follow-up. The minutes from meetings of project team leaders and risk assessment boards should show that members discussed risks, mitigation strategies and what progress is being made. "We don't want to only see a plan; we want to see action that's documented," Powner says.

For Census, managing the risk of the handheld contract was paramount, auditors have said for years. "The handhelds are the keystone to the reengineered census," says Mathew Scire, GAO's director of strategic issues. "The arch isn't going to stand if the computers don't work."

FDCA project managers at the bureau and at Harris stress that a lot has been done in the past year. "Much of what the GAO has pointed out as a problem, we have fixed," says Ed Wagner, FDCA project manger at Census.

The bureau has created a review board that meets monthly to go over risks that project members have identified-mostly cost- and schedule-related. Harris-which teamed with Dell Computer, Accenture, Oracle and High Tech Computer Corp. on the handhelds-has formed a similar board tracking mostly technical issues, says Mike Murray, vice president of census programs for Harris. Each board ranks risks, and project managers inform top executives about the most pressing ones. The boards document each new risk and assign it to an owner, who is responsible for tracking mitigation.

Murray outlines the company's response to the data security risk. He says securing information stored and transmitted by the handhelds is No. 1, especially because private data would be held on the devices for a short period of time and transmitted over the cellular phone network. To mitigate that risk, Harris equipped each handheld with a biometric scanner, which enumerators must use to gain access to the GPS system, census questionnaire and stored data. If the reader fails to recognize an enumerator's fingerprint after three attempts, it shuts down for 15 minutes.

In addition, all stored data is encrypted. Data transmitted over the cellular network also is encrypted as it is en route over a virtual private network that uses the cellular network as a backbone. The handhelds are loaded with software to protect from malware, viruses and worms. Harris designed them so they cannot gain access to census networks or personal information in the databases or other Census networks.

Harris hired an independent security firm to try to break into one of the handhelds using tools and skills an average user would possess. "They've followed all the best practices for security," says Jeff Waters, director of government solutions at Securify Inc. "It looks like it would be fairly difficult to break into this."

Still, the bureau's review board has about 15 items on its risk list, 60 percent fewer than Powner likes to see. The majority of the highest-level risks involve events that could increase project costs, cause deadlines to be missed or expand the performance requirements for the handhelds, according to Jack Marshall, Census' deputy project manager for FDCA, who heads the risk management strategy. "The high risks we have are the traditional ones for large IT projects: those related to [contract] requirements, security, development and of course funding," Marshall says. "Those are the big ones."

This attention to risk is good, as far as it goes. The danger comes when considering enterprise risks, which Census, like most organizations, failed to do. "On a project this size, I'd like to see a list of at least 100 risks, not 20 or 25," Charette says.

Such risks involve how new systems will integrate with legacy systems and with daily operations, which can be adversely affected when new technology moves in. Confusion and lack of a strong plan also can affect the quality of products and services or, in the case of Census, accuracy and completeness of data. Already some risks are becoming reality at the bureau.

'Bugs Are Showing Up'

Upstairs in a sparse meeting room at the Manna Church in Fayetteville, N.C., Kelli Hermesch, a 28-year-old mother of two, stands in front of 11 students, holding her Harris handheld.

It's May 9, the second week of the Census Bureau's address canvassing dress rehearsal. Eventually, about 700 newly trained enumerators will spread out across Fayetteville and surrounding counties using the handhelds to check the accuracy of the addresses in the mapping database and to add new addresses that didn't exist during the 2000 census. The same drill is being played out in Stockton, Calif., where 600 enumerators are going door to door. The bureau picked Fayetteville and Stockton to test the handhelds because they provide a cross-section of America, including large military populations and many non- English-speaking residents.

Hermesch, a crew leader who will oversee the 11 enumerators she is training, has been reading from a manual that contractor Harris wrote. She reads instructions for entering a new address. She stops and paces the floor while she waits for the students to log on to their handhelds. At least four are having trouble. "If they seem slow, don't keep tapping them," Hermesch advises. "It will freeze them up. We still have a few kinks; that's why we have practice."

For more than 10 minutes, Angela Cregg, Hermesch's assistant, leans over the table where Bernice Wolff, a 70-year-old retiree from Fayetteville, can't log in and is having trouble working through the menu for adding addresses. After a couple more minutes, Hermesch tells those who cannot log in to work with a partner.

During a break, Wolff, who like the majority of temporary enumerators the bureau will hire, is older and retired and therefore less technologically proficient than younger workers, says her handheld "is giving me a lot of problems. I put my finger on it [the biometric reader] and it says it hasn't found my finger, and then it locks me out for 15 minutes," she laments.

Wolff worked as an enumerator in 2000, hauling around hundreds of paper forms and large maps. "I like the old way because I'm old," she says. "I hope it will work, but maybe the paperwork that comes along with it will help me when I get stuck."

She isn't the only one having difficulty. Monique Moya, a crew leader for the Fort Bragg military base in Fayetteville, says that at any one time, at least two of the eight enumerators she supervises experienced some problem. Those in the field are instructed to contact crew leaders with problems. If crew bosses can't handle them, they are to call a Harris technician. Most of Moya's problems are software related or are caused by the 10 second or so communications delay with the satellite. "When the handhelds are working, it's great," she says. "But with this being the first rollout, all the bugs are showing up."

Hermesch says one of the crew leaders she trained-an older woman-quit because the technology was too intimidating. "People who are not used to computers have a harder time grasping the technology," Hermesch says. "It makes it difficult for them."

The Commerce Department's in-spector general and GAO warned that the handhelds risked causing confusion if Census failed to hire workers with computer skills. Nowhere on the list are risks associated with productivity or training. "So far, neither we nor the field people have applied such an impact," Census risk manager Marshall says. Census executives told GAO that if they used computer skills as a criterion for hiring, they would be unable to find enough enumerators.

If that's the case, say risk management experts, then Census should have developed a strategy to deal with the consequence of introducing new technology into a decades-old business process. That's enterprise risk.

"Any time new technology is introduced, productivity [tends to] decline . . . especially if the workers don't have computer skills," Charette says. "They should have planned for what was obviously going to happen."

Planning for Failure

Some risks are obvious, some are less so. Enterprise risks tend to be obscure because they require executives and IT managers to think across entire organizations. But one rises above all others and never should be left out of any planning: What if the new computer system doesn't work? What is your Plan B and, just as important, what's the plan for carrying it out?

Planning for a new system to fail is Project Management 101. Top executives should have a strategy to recover and continue operations if a new mission-critical system fails when it's brought online. For IT projects that replace legacy systems, project managers typically will keep the old system operational, ready to go back online if the new one fails.

The Census Bureau has no such plan.

In June 2006, Census Bureau Director C. Louis Kincannon appeared before the Senate Subcommittee on Federal Financial Management, Government Information, Federal Services and International Security to testify about the 2010 census. After sharp questions about rising costs, then-chairman Sen. Tom Coburn, R-Okla., asked Kincannon what the bureau planned to do if the handheld computers didn't work. The query, a Senate staffer recently recalled, was a "real softball question, one we thought Kincannon could answer easily and would look good doing it. But we could not believe his answer."

The director bluntly stated that the handhelds would work, implying there was no need for a contingency plan.

Coburn asked the question, in various forms, four more times, with Kincannon insisting the Census Bureau had proved that handhelds work and that there is no reason to plan for a contingency. (At the time, only three months had elapsed since Census awarded the handheld contract to Harris.)

Finally, an exasperated Coburn said, "Your testimony today is . . . there is no alternative plan if it does not work."

"We will have to hire more people to conduct traditional pencil-and-paper nonresponse follow-up," Kincannon replied.

The director "has turned risk-taking into a gamble. He's saying that there is a 100 percent chance the handhelds will work and nothing will go wrong. Nothing, especially in large IT projects, has a 100 percent chance of working. It's all a gamble now," says Charette.

Census' Marshall says part of the risk strategy for next year is to develop a continuity of operations plan, and he says Harris Corp. executives have it on their "radar screen. We've looked at contingency plans, but they aren't so formal," he says.

GAO's Powner says that in general, formulating contingency plans near the end of a project, especially a large IT project, is "too late. There's no going back and adding them in. It would be meaningless," he says.

It also is too late to plan for a possible failure when Census and Harris scale the system from its first field tests of 1,300 people to the 525,000 enumerators that will use the system in April 2010. Marshall says Census and Harris IT managers are thinking about the risk of scaling the system, but no tests or plans have been laid out.

Charette says the tests should have been conducted by now, including pushing the system 10 percent to 20 percent beyond its expected maximum workload, which could present complicated problems that need time to solve. "This is one of the biggest risks for a new system-increasing the workload from a small lab setting to a much larger real-life situation," Charette says.

"It's getting too late in the game to run these tests."

'Seat of Their Pants'

The Census Bureau's gamble might very well pay off. The handhelds could work flawlessly and the accuracy of data could be improved. After all, Census and Harris executives say they have experienced only minor software glitches and other problems they can fix quickly before the second dress rehearsal next year. And the bureau still has 32 months until the count kicks off in April 2010. But that's not the point. Changing the data collection process presented huge risks to the enterprise and the core mission of the bureau. Failing to manage the enterprise risks compounded them. Costs already are rising, according to GAO, with Census $31 million over budget on the handheld contract, according to the Senate's census oversight subcommittee as briefed by GAO.

What's more, Powner says, past experience with the decennial census has demonstrated that the largest cost increases occur in the last few months leading up to the count, which for 2010 would mean 2009. Moreover, requirements for the handhelds have increased five- to tenfold, according to the Senate oversight committee. "It's a huge red flag that contracts are in trouble when requirements in-crease that much," Charette says.

Sharon adds that "requirement creep" like that is a direct result of not properly analyzing what an organization is trying to accomplish and developing options to do that. "We are hugely concerned that they are flying by the seat of their pants and don't know want they want," says a Senate staffer.

More telling, perhaps, the savings Waite promised in 2001 are being eaten up by cost increases. Estimates now show that even with the handhelds, the bureau will end up with a more expensive census than originally projected, possibly costing $13 billion or more, Kincannon admitted to Coburn during last year's hearing.

By almost any measure, Sharon says, handhelds weren't a risk worth taking. The $445 million savings, spread across 10 years, represents only 1.5 percent a year, he points out. "That's absolutely not worth it, especially given the risks of the project," he says. If other options were considered back in 2001, money could have been better spent, he says.

Sharon says the project had little chance of generating savings in the first place because it was conceived and analyzed incorrectly: "The last place something like this should come from is somebody's head."

]]>

Patching Holes

Allan Holmes — Sun, 01 Jul 2007 00:00:00 -0400

Fixing network vulnerabilities can be easier than you think.

For years, information security managers have operated under this rule of thumb: Holes in systems-the unintentional errors in the underlying code or configurations that allow viruses, malware, worms and hackers into a network-present the biggest security problem. At least 95 percent of all network intrusions and downtime are the result of these mostly known vulnerabilities.

That makes security management fairly straightforward. If the security manager kept on top of what security holes were found and the patches were released to plug those holes, the networks would be almost entirely inoculated from unwanted intrusions.

Unfortunately, that's not the case anymore, according to Alan Paller, director of research at the SANS Institute in Bethesda, Md., which provides cybersecurity training and manages the Internet Storm Center tracking threat trends. While known vulnerabilities remain a major concern, two other threats have increased at a pace that makes them a high risk for networks as well.

One is so-called spear phishing, in which a hacker tricks employees, usually through an e-mail message, to provide personal information either about themselves or about other employees, including top executives. The cyberthief then uses that information to create a false identity or to gain access to online accounts. The other threat is called unvalidated inputs or input checking, in which a hacker embeds a command in a string of characters within a field (say, one asking for your name) to obtain personal information. The command tricks the underlying database to provide the database's entire list of names and personal information. These two attacks have become so common that they now account for two-thirds of all cyberattacks, Paller estimates. The traditional security flaw of not patching systems on a routine basis accounts for the other third.

By focusing on these three kinds of cyberattacks, security experts say organizations can eliminate just about all of their security problems.

How to Patch

Like any other thief, a cyberthief looks for the easiest way in. That means looking for vulnerabilities in programs and hardware, many of which are easily found on the Internet. Hackers move from organization to organization looking for the one system that hasn't been patched.

By creating a patch management process in your organization, you can secure your systems dramatically. It sounds easy, but apparently it's not. Less than half of all organizations worldwide have a process in place that IT executives follow routinely to keep systems and programs patched for the latest vulnerability, according to a 2006 survey conducted by CIO magazine and management consultant PriceWaterhouseCoopers. Even fewer government agencies have created such a process; less than 40 percent of all public sector IT managers say they follow a patch management process.

Why don't more IT managers follow what is arguably one of the best ways to keep viruses, malware and hackers out of their systems? Because it takes a lot of time. Even when the system is patched, new code can create errors, which take even more time to fix.

Lack of time is becoming less of an excuse because information is easier to come by. The National Institute of Standards and Technology's National Vulnerability Database, a repository of all known vulnerabilities and how to fix them contains almost 25,000 known vulnerabilities collected from the Common Vulnerability and Exposure dictionary, which is managed by the technology nonprofit Mitre Corp. in McLean, Va., and funded by the Homeland Security Department. The dictionary lists all known security holes in computer systems. When a new security hole is discovered in a computer system, Mitre assigns it a number, writes a short description and posts it on its CVE Web site (cve.mitre.org). Within hours, typically, it appears on the National Vulnerability Database. Within a day or two, NIST posts links to how to fix the vulnerability.

In a typical week, Mitre alerts NIST to 100 to 150 vulnerabilities. With that many to check into, it's no wonder most system administrators avoid creating a patch management process. But security experts also offer ways to manage the long list of holes by providing help in focusing on those that can cause the most damage and that are most pertinent to your infrastructure.

Rating Threats

First, NIST and Mitre assign each vulnerability a score from 1 to 10 on the Common Vulnerability Scoring System. The higher the score (the most severe have a score of seven or higher), the greater the chance the vulnerability will create havoc and put data at risk. Focus on those vulnerabilities that are the most severe, says Robert Martin, principal engineer at Mitre.

You can refine that list even more. The National Vulnerability Database Web site allows users to add their own network characteristics so that the scores reflect the threat to their specific systems. For example, you can rate how much data you are at risk of losing or how much damage could occur to your systems if the weakness is exploited-low (light loss), medium (significant loss) or high (catastrophic loss). Do this evaluation for all vulnerabilities that are appropriate to your network and you can create a list of security holes that present the greatest threat.

You also can search for vulnerabilities that affect only those products and programs that make up your information architecture. Type in a name of any product plugged into your network and see what vulnerabilities are returned. Sort through those using the severity score, placing the most severe at the top of your fix-it list.

For the most effective protection, conduct a risk assessment of your networks to find where data is stored, and identify conduits to that data. Program managers and other employees might have stored sensitive data on systems that you are not aware of. Talk to them to find out.

If the job still seems big, it's because, well, it is-albeit not as big as before. By whittling it down to the vulnerabilities that pose the biggest threat, you'll remove work that might not provide much return in terms of security.

This is the first in an occasional series on how to put together a program that can increase network security-without spending your entire workday doing it.

]]>

Reform Trickles In

Allan Holmes — Sun, 01 Oct 1995 00:00:00 -0400

Proposals to overhaul the rule-bound federal service system abound, but most are simmering on Congress's back burner.

When Vice President Gore released his blueprint for reinventing government two years ago, he singled out the federal civil service system for particularly harsh criticism.

"Year after year, layer after layer, the rules have piled up" in the personnel system, said Gore's National Performance Review report. The document lamented the "cumbersome red tape" of personnel regulations, called the performance appraisal process a "meaningless exercise" and said the hiring system "is so complex and rule-bound that most managers cannot even advise an applicant how to get a federal job."

"To create an effective federal government," the report concluded, "we must reform virtually the entire personnel system: recruitment, hiring, classification, promotion, pay and reward systems."

Despite such tough talk, though, the Clinton Administration has made little progress in the past two years toward achieving its goal of revamping the civil service.

It finally got out of the blocks in May of this year, when it distributed to agencies a 160-page draft of a comprehensive civil service reform bill. The Federal Human Resource Management Reinvention Act, as the draft was named, would decentralize the government's civil service system, giving agencies more autonomy in hiring, paying and classifying employees. The proposal also would make it easier to penalize federal workers for poor performance and to transfer employees from one job to another.

The White House draft was quickly attacked from all sides. Federal unions were upset with provisions allowing mangers to cut workers' pay for poor performance. On Capitol Hill, both Democrats and Republicans said the Administration had failed to make the case for a complete overhaul of the civil service system.

"The bill doesn't have a whole lot of support on either side of the aisle," said a Democratic staffer on the Senate Governmental Affairs Committee this summer. Without such support, comprehensive civil service reform has little or no chance of being passed this year-or next, when presidential politics are likely to put the issue on the back burner.

Some Members of Congress continue to say they will press for limited reforms this year and will take up the idea of a thorough overhaul of federal personnel management in 1996. But any efforts to reform the system at this point will come relatively late in the game of reinventing government. Federal managers already have had to cut thousands of jobs and restructure their operations within the context of a rigid civil service system that makes it difficult to hire, supervise, promote, reward and fire employees. And with next year's expected austere budget, more cuts are on the way.

So, experts say, civil service reform is already overdue. "If we're going to continue to downsize and restructure the government at the rate we are now," says Frank Cipolla, project director of the Human Resource Management Center at the National Academy of Public Administration, "we simply have to do something that significantly changes the civil service system."

The Bill

The Clinton Administration has taken some steps to deregulate the civil service system since the NPR report was issued. In January 1994, Office of Personnel Management director Jim King announced the "sunset" of the 10,000-page Federal Personnel Manual and said agencies would be allowed to create their own sets of personnel regulations. And since January of this year, agencies have not been required to use the traditional SF-171 job application form for hiring. But in addition to such actions, the Administration also has promised a thorough overhaul of federal personnel laws.

The Federal Human Resource Management Reinvention Act delivers on that promise, says Michael Cushing, chief of staff at OPM and one of the authors of the bill. He calls it "the most significant change in civil service law in a century."

The most recent attempt to overhaul the federal personnel system was the Civil Service Reform Act of 1978, which abolished the Civil Service Commission and created OPM to enforce civil service statutes. The law also established the Merit Systems Protection Board, made it easier for managers to fire incompetent employees, defined merit principles for hiring, promoting and payment, and gave employee unions the right to collectively bargain on certain personnel practices and policies.

But many federal managers say the law did little to make the system more responsive to their needs. "A lot of the problems that the law was supposed to correct we're still looking at today," says a civil service expert. "The NPR report was deja vu all over again."

Administration officials say their bill will finally get the job done. Most of its provisions can be summed up in two words: increased flexibility.

"The government in the 21st century is going to need to be more flexible and more entrepreneurial," says Elaine Kamarck, Gore's senior staffer on NPR. "That means procurement rules, the way we budget and the way we hire and fire people have to be more flexible and entrepreneurial."

In hiring, for example, OPM currently administers tests for about half the jobs filled in the federal government. Under the bill, agencies would take over the testing responsibility or develop their own systems to rate job candidates.

Agencies also would be allowed to hire temporary workers, with fewer job protections than permanent employees, who could work in assignments for up to five years. The bill would give agencies more leeway in setting up experimental personnel systems-as long as OPM approved them. It also would abolish the statutory definitions for the 15 grades in the General Schedule pay system and replace them with broader criteria developed by OPM. Agencies also would be permitted to implement a "broad-band" pay system, which allows managers to promote employees to higher pay levels without having to satisfy the restrictive definitions of the present pay grades.

Finally, federal managers would have more flexibility in penalizing employees for poor performance. Under the bill, an employee's pay could be cut up to 25 percent for poor performance, and employees could no longer appeal to the Merit Systems Protection Board if denied a within-grade pay increase.

Most of the bill's language was drawn from the NPR report, as well as a January 1994 report issued by the National Partnership Council, a panel made up of Administration officials and representatives of federal labor unions. The Partnership Council recommended decentralizing the federal government's hiring, classification and performance management systems so managers and union representatives could work together on structuring separate personnel systems in each agency.

In another union-friendly provision, the bill would codify unions' bargaining rights in some areas. Agencies would be required to set up labor-management partnership councils to negotiate performance standards, pay, use of technology, how work would be performed and other issues. If agreement on these issues could not be reached, the bill would require binding arbitration.

Drafters of the bill, however, also included provisions that anger the unions. In May, the heads of the American Federation of Government Employees, the National Treasury Employees Union, the National Federation of Federal Employees and the Public Employee Department of the AFL-CIO sent a letter to Kamarck expressing "grave concerns" about the bill. The union chiefs called the 25 percent pay-reduction authority "draconian," argued that the bill would give unions no bargaining rights in developing new classification systems and opposed giving OPM alone the power to define job categories. "Simply put," the letter stated, "we would be forced to publicly oppose this bill in the strongest possible terms should it be sent to Congress for action."

In the Republican-controlled Congress, the bill's partnership provisions are likely to be its biggest liability. "People who sit in negotiations over performance requirements have their own interests at heart, not the taxpayers' interests," says a House GOP staff member. Many Democrats don't like the partnership councils or other aspects of the bill, either. "Even if Democrats still controlled Congress," says a human resource management expert, "this bill would be in serious trouble."

What's Wrong?

Objections to the Clinton Administration's civil service reforms run deeper than just opposition to docking pay and setting up labor-management councils. The Administration's critics say it has done a poor job of cataloguing all that is wrong with the civil service system.

Staffers on the House Government Reform and Oversight Committee's Civil Service Subcommittee say it's impossible to make a case for comprehensive reform of the system without a complete accounting of all its problems. "What the Administration has done is engage in an academic discourse and given a few anecdotes, rather than zeroing in on the problems," says one.

GOP staffers on the subcommittee met with NPR officials in February and again this summer to ask for a specific list of problems with the civil service system-an "indictment," as they call it.

Kamarck insists the NPR has identified the problems with the personnel system in its "accompanying reports" to the NPR report. In one such report, "Reinventing Human Resource Management," 14 specific recommendations for civil service reforms are listed, each of which includes a short section identifying and describing problems.

For example, under a proposal to reform the General Schedule and basic pay systems, the report outlines six problems, one of which is inflexibility. The report states the classification system takes a "one-size-fits-all" approach, which doesn't work well because agencies "have diverse missions, challenges, organizational structures, values and cultures, and
. . . they must respond to ever-changing external conditions."

Such descriptions, say congressional staffers, aren't specific enough. A Republican House staffer argues that while Administration officials say they would like a more flexible system, "they haven't laid out exactly what the inflexibilities are." A Democratic staffer agrees: "I certainly want to see some more information on what's wrong with the system before we jump and pass something."

Of course, compiling a specific list of all that is wrong with the civil service system would be a monumental task. Over the years, the General Accounting Office has issued numerous reports analyzing problems with the structure of the federal government's personnel system. "But we've tended to do this sort of thing piecemeal because doing even one aspect of the system across many agencies is a very labor-intensive," says Nancy Kingsbury, who follows federal human resource management issues for GAO. "To take on the system as a whole is a little scary."

And just documenting the problems won't necessarily make the solutions self-evident. "The fact that the system doesn't work as efficiently as it could is not altogether the fault of the system itself," Kingsbury says. "It's the fault of the way agencies manage the system or the procedures that they put in place. That leads you to a completely different kind of solution."

Alan "Scotty" Campbell, the first head of OPM and one of the authors of the Civil Service Reform Act of 1978, agrees. Campbell says the decentralization of much of the personnel system proposed by NPR already is permitted under present law. "It's a matter of administration, not a matter of law," he says. "What's needed here are management decisions on what should be centralized and what should be decentralized. The easy slogans, like 'decentralize the system,' don't get you too far."

What's Next?

The lack of consensus on how to proceed with civil service reform is causing some groups to call for a fresh approach to the problem.

In August, the National Academy of Public Administration released a report on reforms agencies could implement that do not require new legislation. The report analyzes human resource systems implemented by private companies and foreign governments and gives agencies diagnostic tools to determine whether they should implement such reforms as broad-band pay systems.

Another reform effort was being prepared this summer by the Council for Excellence in Government, a nonprofit group in Washington. In conjunction with the Maxwell School of Citizenship and Public Affairs at Syracuse University, the council was working to secure funding for a series of seminars that a proposal says would "start with a clean slate, asking a number of fundamental questions that do not take the basic assumptions of the present civil service system as given."

On the Hill, House Republicans already are moving ahead with piecemeal civil service reforms. Rep. John Mica, R-Fla., chairman of the House Civil Service Subcommittee, recently held hearings on the difficulty of demoting or firing incompetent employees. Mica chose to focus on this first largely because proposals to address the issue have bipartisan support.

Mica would also like to tinker with rules governing federal reductions-in-force (RIFs). Smaller budgets and program eliminations contained in appropriations bills currently moving through Congress will likely force many agencies to conduct RIFs during the next couple of years.

In determining whom to lay off, managers currently are required to give preferential treatment first to veterans, then to employees who have the most seniority and third to employees who have good performance records. Such rules hamper agencies' efforts to retain the best-performing employees and hurt efforts to diversify the workplace, because most veterans and senior-level employees are white males. Mica is considering holding hearings sometime next year on veterans preference and other workplace rules and has asked GAO to report by next spring on all personnel and administrative laws that may hamper downsizing.

But whether Mica can actually move legislation dealing with poor performers or RIF rules this year or next is questionable. Veterans' preference, for example, has always been politically popular. Acknowledging this, the Clinton Administration chose not to touch the issue in its bill.

Moreover, with the upcoming battle over the budget and next year's presidential campaigns, civil service reform "isn't even on the radar screen," says a Senate aide. Supporters of reform probably won't be able to muster up much interest in the idea until 1997. By then, Gore's pledge to "reform virtually the entire personnel system" will be nearly four years old.

]]>

Civil Service Reform: The Administration Plan

Allan Holmes — Sun, 01 Oct 1995 00:00:00 -0400

October 1995

PERSONNEL AND WORKFORCE

(Sidebar to "Reform Trickles In")

The Clinton Administration's civil-service reform bill would redefine the role of the Office of Personnel Management and decentralize personnel procedures. Some of the bill's provisions:

Hiring System

- Authorizes OPM to delegate examining authority for all occupations to agencies.

- Gives agencies the option of hiring non-permanent employees for up to five years for jobs having a foreseeable end.

- Permits agencies to extend the probationary period for new supervisors and managers from one year to up to three years.

- Requires agencies to provide transition assistance to employees who are adversely affected by workforce reductions.

Performance Management

- Requires agencies to bargain with employees to create new performance management programs.

- Authorizes agency heads to approve individual incentive awards of between $10,000 and $25,000.

- Allows managers to cut poor performers' pay by up to 25 percent for 120 days.

Alternative Personnel Systems

- Eliminates most current restrictions on demonstration projects, including limits on the number and size of projects.

- Authorizes OPM to convert successful demonstrations into alternative systems with no time limits.

Classification Reform

- Retains the 15-grade General Schedule salary structure, but abolishes statutory definitions of grade levels.

- Directs OPM to establish government-wide criteria for broad-band pay systems.

Labor Law Reform

- Establishes the following "good government standard" as the policy framework for collective bargaining: "An agency and a labor organization are obligated to bargain collectively in good faith and consistent with the promotion of increased quality and productivity, customer service, mission accomplishment efficiency, quality of work life, employee empowerment, organizational performance and, in the case of the Department of Defense, military readiness."

- Provides statutory authority for the National Partnership Council and agency labor-management partnerships.

]]>

Shrinkage Rap

Allan Holmes — Mon, 01 May 1995 00:00:00 -0400

wo years into their reinventing-government effort, Clinton Administration officials couldn't be more upbeat about meeting one of their central objectives: trimming the federal bureaucracy.

In fiscal 1994, the executive branch's civilian workforce shrunk by about 102,000 full-time equivalent positions, dropping to a level of about 2.05 million. "Nothing has helped our credibility more on [reinventing government] than the fact that government is 102,000 people smaller," says Elaine Kamarck, who heads Vice President Gore's National Performance Review.

The downward trend is expected to continue this fiscal year. The Administration estimates the federal workforce will shed another 34,900 positions, bringing the size of the civilian workforce down to 2.02 million. The two-year reduction should total about 137,000 by the end of fiscal 1995 -- a 6 percent decline from fiscal 1993.

The cuts allowed the Clinton Administration to keep the head count in the executive branch below the ceilings mandated by the 1994 Federal Workforce Restructuring Act; 2.08 million in 1994 and 2.04 million in 1995. In subsequent years, the ceilings drop by 2 percent annually, until by fiscal 1999 the size of the civilian federal workforce will be capped at 1.88 million. By then, the workforce will have been reduced by 272,900 workers -- about a 13 percent cut from a base of 2.16 million in fiscal 1993.

Congress' goal in passing the act was to prune a bureaucracy that has become a symbol of government bloat and wastefulness. The bureaucracy has attained such ignominy even though it hasn't grown during the past 30 years hovering around 2.9 million, if postal workers and temporary and part-time employees are included. The mandatory 13 percent cut in non-postal civilian employment will bring the federal workforce down to the size it was in the early 1960s, before Congress passed the massive health and welfare programs of the Great Society.

The Clinton Administration is halfway to that goal, an accomplishment that is in no small part due to the law itself. Besides setting the ceilings, the law gave non-Defense executive-branch agencies authority to offer employees up to $ 25,000 each -- depending on salary and length of service -- if they retired early or resigned. (The Defense Department has been offering buyouts since fiscal 1993 and will continue its program through fiscal 1999.) Administration officials last year fought hard to get the buyout authority, which they viewed as one of the most effective tools for meeting the NPR's goals of reducing the number of government supervisors, managers and what it called "overhead" workers -- employees in personnel, budgeting, accounting, auditing, procurement and headquarters functions.

While the Administration may tout its success in reducing the overall number of federal workers, analysts following the Administration's progress in meeting the NPR's goals say too few of those leaving are supervisors, and congressional Republicans argue that the cuts were too concentrated in the Defense Department Also, agencies worry that they were forced to cut workers before they determined how to restructure their organizations to meet the NPR's goal of "creating a government that works better and costs less." Says Nancy Kingsbury, who follows federal employee management issues for the General Accounting Office: "I can almost guarantee you that five years from now we'll be issuing reports that find problems we can trace to a lack of supervision and workers in key areas."

Buyouts' Popularity

The Clinton Administration owes much of its success in reducing the executive branch civilian workforce to the buyout program.

As Government Executive went to press, the Office of Personnel Management was estimating that about 90,000 federal workers would accept buyouts by March 31 -- the deadline for doing so at non-DoD agencies -- some 55,000 of them from DoD. Another 10,000 DoD civilian employees are expected to accept buyouts by the end of fiscal 1995. Outside the Defense Department, buyouts were most popular at departments and agencies that have been targets for restructuring and downsizing, such as Agriculture, Education, Interior, Transportation, the General Services Administration and NASA. (See table, page 26.) Thus the buyout programs will have enticed about 100,000 federal employees to leave by the end of this fiscal year. Another 37,000 employees are expected to have departed by Sept. 30, including people who leave through normal attrition, early retirees ineligible for buyouts and victims of reductions in force. DoD accounted for two-thirds of the 8,600 RIFs government-wide in fiscal 1994; non-Defense agencies such as OPM and GSA accounted for the remainder.

Buyouts were central to the Administration's goal of reducing the federal bureaucracy for two reasons. First, they offered a way to avoid painful and costly RIFs. In mid-March, when OPM knew more than 80,000 buyouts had been approved, Leonard Klein, head of OPM's staffing group, said "the buyouts saved us from issuing more than 80,000 RIFs."

Although the cost of the buyout program will exceed $ 2 billion, RIFs would have cost more, OPM says, because the government would have had to provide laid-off employees with severance pay, unemployment benefits and outplacement services. OPM estimates that the average buyout immediately saves $ 6,200 over what the average layoff costs.

A 1993 Congressional Budget Office report disagreed, saying buyouts are more costly in the short run because not every buyout avoids a layoff, as OPM assumed. In the long run, however, CBO says buyouts do save money, GAO has not been able to quantify savings. Second, by targeting buyout offers, the Administration met the NPR goals of reducing numbers of supervisors, managers and overhead employees.

For example, the Federal Aviation Administration blocked front-line, lower-grade employees such as air-traffic controllers, maintenance workers and aviation safety inspectors from applying for buyouts. As a result, about 40 percent of FAA's 2,900 buyouts went to supervisors. The Treasury Department limited buyouts to the GS-14, -15 and Senior Executive Service ranks. And Agriculture's Forest Service, which accounted for about half the department's 5,300 buyouts, restricted them to employees at GS-14 and above at units where jobs will be abolished and to GS-13 and above at its regional offices and research stations. All of the agency's administrative employees, regardless of grade level, were eligible for buyouts.

Such restrictions did indeed skew the buyouts to the upper grade levels. Employees in grades GS-11 through GS-15, SES members and blue-collar supervisors took more than 56 percent of the non-Defense buyouts -- a greater proportion than those positions represented in the total workforce before the buyouts started last year, according to OPM. About 38 percent of the buyouts went to individuals in overhead positions, which matched their share of the total workforce. (Included in overhead positions were some supervisors.)

Span Of Control

Still, buyouts did not make significant strides toward meeting the NPR goal of increasing the so-called "span of control" -- halving the supervisor-employee ratio from a government-wide average of 1:7 to 1:15 by the end of fiscal 1999.

In written testimony given to the House Civil Service Subcommittee in March, GAO reported that the ratio at Agriculture, which was 1:8 in fiscal 1993, will only reach 1:10 by fiscal 1996. And the average Commerce Department supervisor will oversee 8.4 employees in fiscal 1996 -- not a big improvement from the 6.6 employees under each supervisor in fiscal 1993. GAO's Kingsbury says it is unlikely the government-wide supervisor-employee ratio will reach the 1:15 goal by fiscal 1999.

The reason for the slow progress may be found in agencies like NASA.

The space agency hadn't planned to offer more than the 1,177 buyouts it approved in 1994, but it was forced to offer 2,000 more to help meet President Clinton's planned $ 5 billion NASA budget cut over five years. The buyouts were driven more by budget numbers than an interest in reducing supervisors, says Spence Armstrong, NASA's associate administrator for human resources and education; NASA thus made buyouts available to all employees. The agency estimates its supervisor-employee ratio will decrease from 1:5.4 in 1993 to 1:8 in 1996.

DoD isn't targeting supervisors, either. Government's largest department typically has used buyouts not to reduce the number of managers, but to soften the blow of base closures by offering them to managers and front-line employees alike. As a result, the average grade of those accepting a buyout at DoD is GS-9, which is also the average grade held by civilian employees government-wide.

With no immediate plans for more buyouts, the Administration can only depend on early retirement and attrition to increase the supervisor-employee ratio. But those reductions occur proportionately through all grade levels, so they don't help increase the span of control. Still, departments like Interior hope to halve their ratios to help meet the government-wide ratio goal of 1:15. The department's ratio, 1:6 in 1993, will bottom out at 1:12 in 1999, says Theresa Trujeque, Interior's deputy assistant secretary for human resources.

Nevertheless, the lack of significant progress in improving the ratios through buyouts had John Koskinen, deputy director for management at the Office of Management and Budget, backing away from the 1:15 goal. "We may not reach 1:15," he told Government Executive in March, "but what's important is that people are moving in the right direction."

Conversely, buyouts have provided a good start in cutting overhead positions, which the NPR has targeted for a 50 percent reduction by fiscal 1999. In its March testimony, GAO reported that by fiscal 1996, Agriculture and Commerce will have reduced the number of employees in personnel, budgeting, accounting, auditing, procurement and headquarters functions by 10 percent and 12 percent, respectively. NASA will have cut out 13 percent of its overhead positions.

Finding the additional cuts shouldn't be too difficult, Kingsbury says. Besides attrition, elimination of overhead positions will occur when agencies begin the second phase of reinventing government. REGO II, as it is known, calls for agencies to identify programs that can be discontinued, privatized or transferred to state and local governments.

DoD's Burden

The overall decrease in federal employment may be impressive, but some say DoD has unfairly shouldered most of the decline.

"The restructuring exercise thus far looks more like a Department of Defense workforce restructuring that a government-wide streamlining," complained House Civil Service Sub-committee chairman John Mica, R-Fla., during a hearing on downsizing in March. About three of every four positions eliminated in fiscal 1994 and 1995 came from DoD, GAO testified. (See graph.) And in fiscal 1996, the Administration estimates DoD will account for 94 percent of the 35,900 positions slated to be cut.

Mica pointed out that most of the cuts in non-Defense agencies were concentrated in a handful of agencies, and he urged OMB to begin to make more cuts "across the full scope of the executive branch and not just the Defense Department."

Koskinen defends the Administration's record so far, explaining that non-Defense cuts look smaller than they truly are because some agencies had to hire additional workers to carry out programs Congress expanded. In fiscal 1995 and 1996, for instance, Treasury plans to add 4,900 employees, most of whom will oversee the taxpayer compliance program in the Internal Revenue Service. In the same period, the Justice Department plans to have a net increase of nearly 13,900 workers, many of whom will implement provisions in the 1994 crime bill.

"You can't run more prisons without more people," Koskinen says. He also notes that DoD's share of cuts will drop to a little more than half of the total between 1997 and 1999.

Even with DoD accounting for about 75 percent of the total workforce reduction over the last two years, DoD executives aren't rankled. "I'm not sure anyone at DoD is complaining that we're shouldering more of a burden than other departments," says Ronald Sanders, former head of DoD's civilian personnel policy and now director of the recently established Center for Public Management at the Maxwell School of Citizenship and Public Affairs at Syracuse University.

Sanders says civilian Defense managers understand that DoD's downsizing is part of a continuing evolution in its mission following the end of the Cold War, which is a separate issue from NPR streamlining goals.

Matching cuts to changing missions is exactly what non-Defense agencies should be doing -- but aren't, says experts on government management.

The National Academy of Public Administration (NAPA) warns that decisions about what functions an agency should conduct should precede any cuts, the exact opposite of what's happening now. Meeting arbitrary employment ceilings "does not give . . . managers the flexibility they need to decide how best to structure their organizations around the functions which have been authorized by Congress and the Administration," testified NAPA fellow James Colvard, who once held high positions in NASA and the Navy, at a January hearing of the House Appropriations Sub-committee on Treasury, Postal Service and General Government.

Colvard's warning appears to be ringing true at some agencies. One of the executives who managed FAA's buyouts says overhead functions have been reduced so much that "we're feeling the impact. We're a little thin now." At the Social Security Administration, 1,200 supervisors, managers and overhead employees took buyouts, and executives still haven't developed a long-term plan to manage the crushing workload the agency expects as more Americans retire. "We've done what my mother always warned me not to do: We've put the cart before the horse," says an SSA official. And at NASA, "No one has the answers for how we'll do things in a different way," says Armstrong. "We're still working on it. I can only hope we haven't done anything dumb."

Smaller is Better

Nevertheless, the American public and Congress ultimately will judge the success of reinventing government less by how much better government works than by how much smaller it is. "Everybody understands head counts," Colvard said at the hearing.

On that score, the Clinton Administration has made points, as it is squarely on track to meet the goal of cutting the required 272,900 jobs by the end of fiscal 1999. The Administration needs to cut less than 100,000 jobs in 1997-99 to meet the goal.

GAO's Kingsbury says the Administration should have no problem making the cuts, even if it just relies on normal attrition. The annual attrition rate required to carve out the required 100,000 jobs is just 1.75 percent. Historically, attrition in government has been much higher -- about 5 percent, on average -- although it is now somewhat lower.

In addition, early retirement, or early outs, will be available until Sept. 30. OPM officials are meeting with agencies to determine whether early-out options should be extended into fiscal 1996. GAO does expect that some agencies will have to institute RIFs in order to comply with NPR goals, but a minimum are expected.

But before the White House reaches the vaunted 272,900 cuts, Congress may up the ante. As early as next month, Sen. William Roth, R-Del., chairman of the Governmental Affairs Committee, could unveil a plan that would require the executive branch to cut up to 860,000 civilian jobs -- more than three times the current target. To get there, up to half of all agencies and departments would be eliminated. Cutting the federal bureaucracy may be popular, but it remains to be seen if Americans are ready to slash government that much.

THINNING MANAGEMENT RANKS

The federal buyout program for domestic agencies was aimed in part at cutting the ranks of supervisors and managers. Progress was made, as indicated by data showing a concentration of buyouts going to employees in higher pay grades.

Among white-collar workers, 64 percent of the buyouts went to employees at GS-11 and above, though only 43 percent of the workforce was in those grades at the time the buyouts were authorized in March 1994. Still, the Administration appears unlikely to reach its goal of cutting the number of managers in half by 1999.


         Number of   Share of  Number of Share of

         Employees  Workforce  Buyouts * Buyouts



GS 1-10     482,250       57%      8,151     36%

GS-11       120,951        14      3,558      16

GS-12       126,304        15      4,539      20

GS-13        73,068         9      3,062      13

GS-14        28,838         3      2,051       9

GS-15         6,816         1      1,209       5                            SES           6,509         1        151       1

Total       844,736       100     22,721     100

* Another 4,700 buyouts went to wage-grade workers, nearly all of them in non-supervisory positions. Buyout figures are as of March 7, 1995.

Source: Office of Personnel Management

]]>