Government Executive - Authors - Bill Murray

Agencies Caught in the Cookie Jar

Bill Murray — Mon, 01 Jan 2001 00:00:00 -0500

Any browser can place cookies in Web site visitors' hard drives to identify and track their usage patterns on the Web. Cookies come in two flavors: "session cookies" terminate shortly after a user has left a particular Web site, and "persistent cookies" stay imbedded in users' hard drives to identify them when they return.

Persistent cookies are particularly irksome to privacy advocates, but many citizens dislike the use of any cookies. These views subject the digital world to a higher privacy standard than the paper-based world. So how are federal managers to improve their Web sites-which are becoming key to delivering information to citizens-if they can't track who is visiting their sites and for what?

A recent General Accounting Office audit of 65 federal Web sites shows that 13 agencies violated a policy that the Office of Management and Budget issued in June restricting their use of cookies. Auditors found that the Office of National Drug Control Policy had allowed a company to install persistent cookies on its Web site (www.whitehousedrugpolicy.gov) without informing users. The Forest Service (www.fs.fed.us), meanwhile, allowed a company to have "co-ownership" of cookie data, also without any notice on its Web site.

It's unclear whether the officials who permitted the use of persistent cookies at the 13 agencies had the approval of their agencies' senior executives and political appointees. Failure to get permission is certainly possible, given that the Web is considered the "Wild West" of the digital frontier. Still, we don't know whether those officials acted rashly or with bad intent.

Technology can create problems for managers when a few people seize on a new idea and rush to implement it without going through the proper channels. As GAO's report showed, however, the egg is on the face of upper level managers at least as much as on anyone else.

Sally Katzen, OMB's deputy director for management, has said that the Clinton administration didn't object to session cookies, but Web site managers shouldn't use persistent cookies unless they get the agency head's personal approval. This would ensure that they don't violate the 1974 Privacy Act.

But following the law isn't so easy for federal Web officials. In a recent audit, the Transportation Department's inspector general found that many DOT agencies incorrectly reported their use of cookies. Thousands of Transportation's 200,000 Web pages had not been checked for proper cookie use, according to the IG report. And two agencies were using persistent cookies as a result of improper Web site software configurations. Web experts like Marc Andreeson, former chief technologist at Netscape Communications Corp., encourage the release of software before it's mature and bug-free. Otherwise business innovation would be stifled, he says. At the same time, federal managers are getting pressure from Congress and watchdog groups who are forcing agencies to get their Web privacy practices in line. If they don't get their acts together, they risk being laughed off Capitol Hill next time they request funding for information security projects.

Data privacy has become a sensitive political issue. Sen. Fred Thompson, R-Tenn., the Senate Governmental Affairs Committee chairman, and House Majority Leader Rep. Dick Armey, R.-Texas, joined the fray last year by requesting a GAO investigation of government agencies' Web site security practices.

Persistent cookie data can be matched up with other data to create profiles of citizens through their Internet protocol addresses, which in turn could provide access to their names, Social Security numbers and mailing addresses, wrote John Spotila, administrator of OMB's office of information and regulatory affairs, in a widely circulated letter to Roger Baker, the chief information officer of the Commerce Department. This phenomenon is potentially troubling given the volume of financial, medical and personal data contained in government records, according to Spotila. Agencies must post clear privacy policies on their principal Web sites, as well as "any other known, major entry points to sites," OMB Director Jacob Lew wrote in the June directive to agencies. Agencies must ensure that data collected by cookies are not shared with third parties, if that's their stated policy, according to the memo.

Citizens should be able to presume that agencies don't use cookies on their Web sites unless an agency clearly says it does, Lew said. The directive also applies to contractors that operate Web sites on behalf of federal agencies.

According OMB's policy, agencies need to demonstrate the following, in order to use cookies:

A compelling need to gather site user data.

Appropriate and publicly disclosed privacy safeguards for handing site data, as well as information collected through cookies.

Personal approval by the agency head.

OMB ordered agencies to provide with their annual budget submissions in December a description of their privacy practices and the processes they've implemented to comply with the cookies policy.

Such regulatory and legal constraints make it challenging for federal managers to introduce commercial business practices and operate more efficiently. But some agencies seem to be accomplishing those goals, according to OMB.

In fact, Spotila has praised the U.S. Mint's Web site (www.usmint.gov) on its use of session cookies to help coin collectors make purchases. The Education Department's Direct Consolidation Loan site (http://loanconsolidation.ed.gov) also follows the law in using cookies to help student loan recipients fill out loan applications online, according to Spotila.

Mint officials, who refer to coin collectors as their Web site's biggest customers, broke the $5 million sales mark for daily revenue in October, says spokeswoman Kathy Millar. During the 12-month period ending in October, the Mint's site racked up $156 million in sales, making it one of the Top 20 "e-tailers" in the world, she says.

Cookies provide the Mint with the opportunity to connect Web site users with particular servers at two "cybercenters" that process orders, says Glenn Hall, the office of electronic business director at the Mint. No other known technology allows them to make such connections, so using cookies is key to the site's success, he says. User interaction with the site is anonymous until a visitor places an order. Such an "opt in" policy, which allows site users to reveal what they want about themselves, is becoming popular among federal Web sites.

The cookies embedded in a user's hard drive at the Mint site normally expire within 20 minutes after the user has left the site, Hall says. "There can be remnants left in a hard drive's temporary file, but the browser enables you to erase that data," he says. Although the Web site has served about 500,000 users a year for the last two years, the agency has received just three written complaints about the cookies, he says.

The Mint's Web site uses persistent and session cookies. An online notice says that when users return to the Web site, identifying cookies will be sent back to the site along with the user's new request.

Commercial vendors often customize their Web sites using persistent cookies, so that users can view data that most interests them during subsequent visits. But the Mint does not engage in that practice, Hall says. The Mint's chief information office has taken what Hall calls a "strong position" in deciding they "don't have the right to go out and erase" cookie files that have been embedded in users' hard drives.

The General Services Administration, which uses the Web to conduct much of its business, uses a fee-for-service model like the Mint's. GSA doesn't track or look at usage behavior with its cookies, except when site security is endangered, according to the privacy and security policy posted at www.gsa.gov. "When we examine this data, it is always presented in an aggregate form," to determine the number of users and how to improve customer service, the notice states.

GSA officials have adopted an "opt in" strategy whereby they don't use any identification data unless site visitors fill out a data request. GSA shares data with third parties only in the case of an authorized law enforcement investigation, according to the notice.

Agencies may have more restrictions than private companies do when it comes to implementing innovative electronic business strategies, but federal managers have proved they can abide by OMB's regulations while gathering and disseminating information through their Web sites.

Federal managers, however, should move more cautiously than fearless dot-com employees who don't face the scrutiny of Congress and GAO. They should set up points of accountability in their organizations, so that it's clear who's in charge of Web site security and the sites are being checked regularly for compliance with OMB policy.

Using cookies well can benefit agencies in their electronic government initiatives, but managers have to ensure that they abide by OMB policy.

]]>

Joining Forces

Bill Murray — Fri, 01 Dec 2000 00:00:00 -0500

The Navy and the Marine Corps have connected to launch one of the biggest technology outsourcing contracts ever.

hat do you do when you've just awarded one of the largest information technology contracts in the history of the federal government? You start figuring out how to manage it.

In early October, the U.S. Navy awarded its eight-year, $6.9 billion Navy-Marine Corps Intranet (NMCI) contract for managing the service's shore-based computing enterprise. Electronic Data Systems Corp. of Plano, Texas, won the deal. The selection of EDS over three other bidders brought the curtain down on the opening act of the NMCI drama, which began in June 1999 when Navy officials announced the contract and created a program executive office to manage it. Other aspects of the drama, including the management challenges it will present to the service, are only beginning.

Through NMCI, the Navy is buying voice, video and data services for shore-based operations, along with personal computers, servers, networks and help desk support. "The infrastructure will be turned over to the vendor," which will own the PCs, servers and other peripherals, says Lt. Col. Robert Baker, the Marine Corps' NMCI liaison. "The government will still [exercise] governance over its information architecture and the infrastructure through which the military business, if you will, is transacted."

Because of its size and scope, NMCI has become one of the most-watched government IT contracts, with interested parties in Congress, the Navy, the Marine Corps, the Office of the Secretary of Defense, the Defense Information Systems Agency and the Small Business Administration all overseeing its implementation.

EDS will operate at least four regional network operations centers across the country in areas with heavy Marine Corps and Navy concentrations, says Andy McCann, EDS' client sales executive for NMCI. The company will staff help desks both on site and in central locations to provide user support for 350,000 computers--or "seats," in IT contracting parlance--in the continental United States, Hawaii, Guam, Iceland, Puerto Rico and Guantanamo Bay by the second quarter of 2003. This quarter, the Naval Air Systems Command (NAVAIR) is rolling out NMCI to 40,000 seats, says Bonnie Bowes, the command's NMCI transition manager at Patuxent River Naval Air Station, Md. NAVAIR officials are negotiating service agreements with EDS to govern NMCI.

Other federal agencies are watching closely to see how EDS and the Navy fare in the initial deployments--which also go to seven other Naval aviation organizations besides NAVAIR. Interest is high because the concept of seat management is spreading throughout government, says Ronald F. Turner, the Navy's deputy chief information officer for infrastructure, systems and technology.

Emulating Industry

After the Navy launched NMCI, Joseph Cipriano, the service's program executive officer for information technology, visited 11 large corporations that have outsourced their IT infrastructure to find out about best practices, Turner says. Cipriano determined that outsourcing the Navy's shore-based IT infrastructure to a vendor could save $3.5 billion over five years, according to Turner.

The NMCI contract includes provisions that reward EDS for good service and punish it for sub-par performance, just as many companies do in their outsourcing contracts. NMCI includes 44 major service-level agreements. For example, the wide area network will have to remain in operation 99.999 percent of the time-with only 5.6 minutes of downtime per year allowed-or EDS will face penalties. "We looked at what commercial industry uses," Turner says. "If industry can buy it, why can't we?"

EDS and its subcontractors will have to resolve help desk calls within four or eight hours, depending on the type of problem, Turner says. The company's global help desk will have to pick up calls by the fourth ring. EDS will replace hardware products such as PCs and servers every three years. The service-level agreements also include a key security provision. If a Marine Corps and Navy security team successfully breaks into department systems covered under NMCI, EDS could lose as much as $10 million, Turner says.

The Navy has set up a computer task force in Washington to provide "near real-time insight on how the network is run" by EDS, Turner says. Defense Information Systems Agency (DISA) officials, as well as the commanders in chief of tactical forces and network operations centers, and other DoD services, will have "total insight into our network" so they know how it's performing, Turner says. The Marine Corps already operates a network operations center at Quantico Marine Base, Va., that fulfills the same function for that service.

Despite what would seem like a complex task, Turner says keeping track of the service-level agreements shouldn't be a problem for the Navy. But a Marine Corps official says "substantial risk" is involved in monitoring and enforcing vendor performance. "The reality is that if a vendor fails to fulfill service-level agreements, the impact may be felt immediately, can take quite some time to solve, and can have dramatic impact on the Marine Corps' [command, control, communications, computers and intelligence] capabilities," says Col. Michael Albano, commander of the Marine Corps Tactical Systems Support Activity at Camp Pendleton, Calif. Nonetheless, the Defense Information Systems Agency and the Marine Corps Systems Command have "very capable" project officers who will tackle the challenges, Albano says.

How It Began

Concerned about thousands of onshore networks that didn't operate well together and an aging civilian information technology workforce, among other considerations, Navy officials stepped out ahead of the rest of government with the most ambitious seat management effort yet.

First, former undersecretary of the Navy Jerry M. Hultin spearheaded the service's Revolution in Business Affairs, an effort to dramatically improve the way the Navy does business by using commercial providers when it make sense. The Navy is spending $100 million in the near term to retool a number of proprietary systems in areas such as logistics, maintenance and project management. The effort uses commercial software and relies on systems integrators such as EDS and IBM.

Next, Navy officials argued that the service should stick to what it does best--maintain military readiness--and simply outsource the maintenance of its voice, video and data system through NMCI. Because of the sheer size of that undertaking, other agencies are taking notice. So far, seat management pilot projects--except those in NASA--have been limited to a few hundred or a couple of thousand users here or there in agencies such as the Army Materiel Command, Defense Logistics Agency, General Services Administration and the Housing and Urban Development Department. National Security Agency officials are planning to award a multibillion-dollar outsourcing contract called Project Groundbreaker in 2001, but Air Education and Training Command officials at Randolph Air Force Base, Texas, couldn't get funding to begin their seat management program this fiscal year.

Initially, Navy military leaders such as Rear Adm. John A. Gauss, commander of the Space and Naval Warfare Systems Command in San Diego, wanted the Navy to own the voice, video and data network that became NMCI. The procurement initially was known as the Navy-Wide Intranet, and Gauss wanted his command to charge the rest of the department to operate the network through a fee-for-service arrangement.

In the spring of 1999, Navy officials changed the name of the project to Navy Marine Corps Intranet to better reflect the inclusion of the Marine Corps. They then rejected Gauss' idea of owning the network and named Cipriano to manage the contract. Cipriano asked current and former Marines to help run the project to ensure the Corps' buy-in to the program.

Navy officials wanted to put NMCI on the fast track and award it by June 2000, but they ran into obstacles at the Small Business Administration and the House and Senate Armed Services and Appropriations committees. To placate concerns at SBA and in Congress, the Navy required NMCI bidders to give at least 35 percent of their contract work to small businesses or face a $625,000 fine for each six-month period they failed to meet the goal. If EDS exceeds the 35 percent goal, they'll receive an additional $625,000. EDS officials say they will beat the requirements by 5 percent.

The Navy also had to perform a detailed personnel study to determine the effect of NMCI on employees who do work that would be outsourced. Navy officials paid the GartnerGroup Inc. of Stamford, Conn., to perform a seat management case study for them, then visited corporate businesses that had outsourced their IT infrastructures. But congressional staffers wanted more information. Cipriano and his colleagues had to provide budget figures to show how much they were currently paying for NMCI services, how much they planned to pay through NMCI and how much they'd save.

Through the personnel study, Navy officials identified 1,900 people who do jobs that will now be provided by EDS under NMCI, Turner says. "All but 326 people have been tagged to go to other functions" in areas such as software application development and Web development, he says. EDS will pay a $25,000 signing bonus and guarantee a 30 percent pay increase to any Navy personnel who join the company, and they also will get three years of guaranteed employment.

Sticky Issues

In getting NMCI off the ground, Navy officials also had to hammer out agreements with DISA to govern NMCI's use of the Defense Information Systems Network (DISN), according to Hultin, who now serves as dean at Stevens Institute of Technology's School of Technology Management in Hoboken, N.J.

Navy commanders had long expressed dissatisfaction with DISA, which operates a long-haul voice, video and data network that Defense Department organizations must use, unless they get a waiver from Arthur L. Money, DoD's chief information officer and assistant secretary of Defense for command, control, computers and intelligence. "If we're going to outsource our PCs, servers, networks and help desk support, why don't we outsource the long-haul network and use what the vendor provides us instead of DISN?" commanders asked. Navy Chief Information Officer Daniel Porter went so far as to call DISA a "government monopoly."

While NMCI bidders provided the Navy a choice between using DISN or the vendors' networks through NMCI, Navy officials ultimately decided that DISN would provide an adequate level of service. DISA's commander, Air Force Lt. Gen. Harry Raduege, "has a very customer-centric view," says Turner. "Almost immediately, he appointed [Air Force] Brig. Gen. Bernie Skoch [to be] the director of DISN network services."

Another sticky issue for NMCI has to do with 1996 Clinger-Cohen Act oversight by Money to ensure that the department had reviewed alternatives to outsourcing, had considered commercial best practices and had a firm timetable and budget to accomplish the work. Capitol Hill staffers expressed concern about how Money had overseen other programs and said they wanted to make sure that NMCI was properly run.

It took months for Money and Navy officials to convince Congress, the Office of the Secretary of Defense and SBA that they had dotted all their "i's" and crossed all their "t's." But they finally got the green light to award NMCI four months late, at the beginning of fiscal 2001. To provide a smooth rollover and to try to ensure that EDS meets or beats the command's existing network performance, 14 Naval Air Systems Command employees are acting as "smart buyers" on the contract, Bowes says.

Whether having a "one-touch" vendor that they can contact for all their voice, video and data needs will make management easier is "difficult to say," Bowes acknowledges. While EDS is the prime NMCI contractor, it has 25 subcontractors and will be adding more companies to its team as it rolls NMCI out to different installations, says EDS' McCann.

Cultures and Costs

Bowes predicts that the technical aspects of the initial NMCI rollover at NAVAIR won't be a big deal, since the command already has a standard e-mail and network architecture (using Microsoft Outlook and Windows NT). A bigger management challenge involves making NAVAIR employees "understand the changes in processes and building a trust relationship" with EDS, Bowes says.

A consultant who works with federal officials and integrators agreed. "NMCI, if it works, will require a major cultural change in how they do business," says Robert J. Guerra, president of Guerra and Associates, a federal information technology consulting firm in Oakton, Va. "The government has to change, as well as the vendors. The government can't manage it on a contract line-item number basis. They need to say, 'Here are what my requirements are,' and work with the vendor" to come up with the best seat management program for each command and installation, he says.

The Marine Corps' Albano says EDS will have to gain the trust of the military because the Corps already has a central network control center and standard network architecture, which the Navy has lacked. "By any metric that you might select, the existing Marine Corps Enterprise Network provides terrific service to all Marine Corps units and individual units," Albano says. "It remains unproven that a vendor will be, or can be, as responsive to Marine Corps needs as our own network administrators. Once we go down this road, it will be very difficult to turn back."

Albano also predicts that NMCI will be a challenge for the Marine Corps because the service merged its garrison and tactical command, control, communications, computers and intelligence systems nearly 10 years ago. Having to separate them-because NMCI will cover the garrison networks-will be difficult. "We will need to be very careful when making that distinction in order to prevent loss of service to our warfighters, while insuring seamless connectivity between garrison and tactical networks," Albano says.

At least two Navy organizations have had to change their business practices because of NMCI. The Space and Naval Warfare Systems Command's fee-for-service IT Umbrella program in San Diego has had to begin targeting specific niches in awarding contracts on the Navy's behalf, since NMCI will cover many of the areas that its contracts have dealt with. Nikki Isfahani, head of the program, says that her employees are focusing on the test and evaluation work they do on the command's behalf, and they're also cutting down on the nearly 50 contracts they manage.

The Space and Naval Warfare Systems Center in Charleston, S.C., meanwhile, had begun offering NMCI-like services to Navy customers on a fee-for-service basis, says Robert Cooney, the center's ambassador to NMCI. His organization is having to target areas not initially covered by NMCI, such as software development and knowledge management.

Another of NMCI's management challenges is cost. NMCI is not an outright purchaser of the products and services covered, so service officials can use operations and maintenance funds to make purchases. But Brig. Gen. Robert M. Shea, the Marines' chief information officer, has said that costs could prohibit or cut back on the Corps' NMCI deployment."I learned years ago that, when it comes to systems acquisition, there's no such thing as a free lunch," Albano says. "Whether there will be a savings dividend for the Marine Corps by implementing NMCI remains to be seen. I believe that NMCI has [the] potential to actually cost more than the current Marine Corps Enterprise Network and, therefore, adversely impact other important Marine Corps programs."

]]>