Government Executive - Authors - Karen D. Schwartz

Big Deals

Karen D. Schwartz — Thu, 01 Dec 2005 00:00:00 -0500

With more multiagency contracts breaking the $20 billion barrier, 2006 might bring some of the biggest deals ever.

Speed, organization and efficiency are the top goals for agencies developing and awarding major technology contracts in fiscal 2006.

With federal agencies projected to spend $76 billion on information technology and staff in fiscal 2006, one of the most notable trends in contracting is a continued push for faster awards, achieved in many cases through multiple-award contracts such as governmentwide acquisition contracts (GWAC) and indefinite delivery/indefinite quantity (IDIQ) deals. At least $64 billion in federal IT spending is expected to go to private sector suppliers, according to Reston, Va.-based consultants INPUT.

The push for speed is rooted in simple economics. As the government is asked to do more with less, it has trimmed its workforce-including its procurement and acquisition staff. The Homeland Security Department has only 20 certified program managers handling programs worth $100 million or more, for example.

DHS has implemented the Enterprise Solutions Office, a joint program under the new Information Technology Acquisition Center designed to provide centralized management with decentralized ordering capabilities for contracts, including the Enterprise Acquisition Gateway for Leading Edge solutions, a multiaward IDIQ information technology services deal, and First Source, a similar contract for IT commodities.

But perhaps most significant is the trend of multibillion- dollar contracts, the largest this year being Alliant, a GWAC worth up to $50 billion. The move toward massive contracts is a natural progression for federal contracting and a reflection of what is happening in the IT world as technology solutions become more complex and difficult to integrate and include multiple technologies. Expect to see more of these huge contracts in the future.

A growing reliance on multiple-award contracts also reflects government's desire to consolidate and combine repetitive or redundant systems and contracts.

Fiscal 2006 also will see agencies placing more of the onus on the bidder in requests for proposals by replacing statements of work with statements of objectives, which require vendors to propose more comprehensive solutions. To some degree, this is the result of having fewer experts and program managers available to draft complex work statements, but it's also a sign that government wants to pass on more of the risk to industry.

Finally, fiscal 2006 could be something of a watershed for small businesses as agencies focus on ensuring that small companies have more opportunity to bid on and win contracts. Many of the major contracts to be let in 2006 strongly encourage small business participation. In addition, all governmentwide IT contracts will have small business set-asides, notes Darren Bezdek, manager of subcontracting opportunities at INPUT.

]]>

Data Dump

Karen D. Schwartz — Sat, 15 Oct 2005 00:00:00 -0400

Executive dashboards help agency decision-makers turn information into insight.

The Environmental Protection Agency uses one to analyze key financial and environmental indicators. The Defense Department's TRICARE health care system evaluates the effectiveness of various treatments and programs with one. The Army Reserve Command uses one to monitor, analyze and report on operational readiness of troops. And the list goes on. Countless federal organizations have learned the hard way that collecting data is only the first step toward understanding it. To recognize, analyze and rectify problems quickly, many are turning to executive dashboards-automated panels containing the latest possible data, with performance measures and gauges that indicate the status of those measures. Often, managers can drill down from those measures to receive the detailed information they need to make decisions or determine the root of the problem.

Agencies are using dashboards in a variety of ways-from budget performance integration and financial management to case management reporting and performance, and from acquisition technology and logistics to human capital performance management.

Executive dashboards solve many problems for organizations-chiefly, how to handle the vast amounts of fast-changing data they receive and how to use that data. "Managers have told us over and over again that they are getting inundated with spreadsheets and database reports," says David Vandagriff, vice president of business development at Corda Technologies Inc. in Lindon, Utah. "The dashboard pulls the information out at a high level and lets a manager understand at a glance whether things are going well and where there are problems."

It's also an effective way to comply with the financial and performance requirements of the President's Management Agenda and the 1993 Government Performance and Results Act, which are intended to improve the way agencies run their programs. "We've seen them improve management of program and budget performance by linking strategy and metrics to goals and decisions, and becoming more outcome- and results-oriented," says Scott Dulman, worldwide director of government marketing for Business Objects of San Jose, Calif.

Other benefits include better allocation of resources, and alignment of spending with an organization's strategic priorities. Managers also report significant time savings when program managers no longer have to collect and update their own data.

The State Department's Office of Strategic and Performance Planning is a recent convert. It is transitioning to the Global Affairs Dashboard from Oracle and Business Objects to manage volumes of performance plan data from missions and bureaus worldwide.

"We were capturing a lot of data, but it was sitting in a database into which we didn't have a lot of visibility beyond reports," says Rudolph C. Lohmeyer III, a senior policy analyst in the office. "We didn't have the ability to juxtapose, for example, the performance, planning, goals, resources and staffing levels across missions and bureaus to do real analysis and comparisons and make better decisions."

Once the Global Affairs Dashboard is fully up and running, senior decision-makers, high-level managers in missions and bureaus, planning coordinators and program managers will use it to analyze allocated resources and mission performance against specific strategic goals by bureau and request ad hoc reports.

Upping the Ante

Now that so many federal agencies-and increasingly, state and local governments as well-are realizing the benefits of executive dashboards, they want to up the ante with more scalability, ease of use and, most important, intelligence. Vendors have stepped up to the plate, offering upgrades that do just that.

"Everyone now wants the ability to have the information be data-driven and not simply a reporting tool," says Brian Rowland, performance management strategist with the U.S. government and education division of Cary, N.C.-based SAS Institute. "A dashboard can tell you where your performance measures stand right now, but that only tells you so much. If you're in the red, the executive wants to know why. Business analytics and intelligence capabilities can help answer the question why by delivering reports, graphs and data to support answering those questions."

The Coast Guard is a case in point, having implemented an automated dashboard from SAS Institute in 2003 for its Integrated Deepwater System program, replacing a system involving manual data collection and PowerPoint displays. The dashboard was working well for managing the modernization and replacement of the Coast Guard's ships and aircraft. But the performance measurement team decided it was time to take the next step into the world of business intelligence, moving to the latest iteration of SAS Institute's Strategic Performance Management dashboard system.

"We look at it as a continuum from data to information to knowledge to intelligence," says Greg Cohen, performance measurement lead for Deepwater. "With information you get hindsight, with knowledge you get insight, and with intelligence you get foresight."

By taking that next step, Deepwater executives have much more information and greater management capabilities. In human resources, executives not only can examine job vacancy rates, they can view openings by organization, type of assignment, length of vacancy and other metrics. By getting this information quickly, managers can speed up hiring, eliminating the "use or lose" nature of some of the billets. For budgeting, managers can use business intelligence to view the status of the cost performance index, and with three clicks of the mouse, determine why the CPI is performing the way it is.

Deepwater is in what Cohen calls the "with knowledge you get insight" phase, but, he says, the pinnacle would be to reach the intelligence and foresight level, where managers can perform advanced analytics, statistical predictions and forecasting.

Dulman of Business Objects says dashboards will bring self-service at the desktop and interdepartmental and interagency collaboration. It's happening already, he says. The State Department, EPA, Air Force and others are using collaborative techniques to get information from different programs, organizations and systems within an agency. Interdepartmentally, the Treasury Department's financial crimes area is getting information from Treasury, Justice and the Homeland Security Department, while the Air Force is integrating its dashboards with information from its contractors.

]]>

Dialed In

Karen D. Schwartz — Mon, 15 Aug 2005 00:00:00 -0400

Voice over IP phone service is slowly gaining converts.

Until a few years ago, federal agencies with aging phone systems had little choice but to replace them with similar ones of tried-and-true reliability and availability, but often at a cost many considered too high.

But as technology advances, more agencies are turning to Voice over IP (VoIP)-voice service delivered in digital form via the Internet Protocol instead of using traditional public switched telephone networks. VoIP has many advantages over standard phone systems, including cost and economies of scale, because voice and data traffic can be bundled.

For the Commerce Department, which has been moving its headquarters facility and the Census Bureau to VoIP for internal phone use during the past three years, cost was a major reason. "If you add up all the components of cost savings, it turns out to be the best way to go over the long term," says Tom Pyke, Commerce's chief information officer. Analysts evaluated not only start-up costs, but the time the IT staff would need to manage the installation and ongoing maintenance.

"We migrated from more than 140,000 smaller phone systems in the headquarters building, and Census had a bunch of phone systems as well," Pyke says. "We were able to go to a single phone system with a single help desk. We now use the same help desk to provide PC support for the Office of the Secretary [and] to get network and phone service support for the entire building."

For Commerce, a VoIP-based system offered another bonus-a way to provide emergency broadcasts to the entire building through the phones.

The Social Security Administration is testing VoIP at 23 facilities with the goal of replacing all phone systems at its 1,600 sites nationwide. Officials evaluating the system already see benefits. Chief among them is the potential to run voice traffic on the same network as data, video and other information, says Phil Becker, associate commissioner for telecommunications and systems operations at SSA.

The Federal Trade Commission is another enthusi-astic backer of VoIP. In addition to significant cost and time savings for the IT staff, the FTC cites other advantages. The VoIP system occupies four to five times less physical space than the agency's private branch exchange-based system. VoIP uses the network's power source, unlike the older system, which needed its own. Also, users can configure such functions as speed-dialing and call-forwarding through the Web and unified messaging, which allows them to hear e-mail through their phones and check voicemail from e-mail in-boxes, says David Lanexang, a solutions architect with CDW Government Inc. of Vernon Hills, Ill., which is involved in the FTC's move to VoIP.

For the Defense Information Systems Agency, a combination of all these factors-and evaluation and testing by contractors Computer Sciences Corp., General Dynamics Corp. and Nortel Networks-sealed the deal.

"They realized they would save money immediately as well as long term," says Bob Dunn, vice president of Nortel PEC Federal Solutions of Fairfax, Va. "They also realized we could provide a network that could not only provide plain voice, but video and data, and that we could do it in a secure fashion. And the benefits of owning and managing their own assets meant they didn't have to rely on a carrier to provide services."

Rating Reliability

As with all technologies, nothing is a slam-dunk-at least not without serious evaluation. That means ensuring that a VoIP-based phone system is as reliable and secure as traditional ones. In large part, security concerns have been allayed because most agencies would run their systems on internal data networks, which already are secure, instead of the Internet.

Reliability and availability, however, continue to be major issues. "The service the phone system delivers has to meet the needs of the employees and the public who are calling us, which means we need satisfactory voice quality and the availability you would get from a conventional phone system," Becker says. The SSA pilot is a way to gauge whether VoIP has what it takes, he says.

Service quality also raises concerns. "VoIP adds another layer of traffic on top of the network, so we have to hone our network's quality of service and operating procedures to respect the fact that VoIP is a lot less tolerant of errors and disconnects than data may be," Becker says.

Many agencies, while forging ahead with the technology for internal use, are stepping more cautiously into the world of VoIP for long-distance communications, where voice is translated into packets and sent long distance to be reassembled into a recognizable voice at the other end.

To ensure the smoothest transition, Commerce is holding off on using VoIP for long distance until the General Services Administration's new NetWorx contract is in place. NetWorx, to be awarded in 2006, will offer an array of telecom and data services to government agencies. "We're hoping that solicitation will be structured in such a way that we can choose from among various sources, just like we do now using the FTS 2001 contract," Pyke says. "And we're hoping there will be a capability available to use for long-distance purposes either explicitly or implicitly under NetWorx."

DISA is in a similar position and is holding off on VoIP for long distance. If the agency chooses that route, service could go through its private network or through the Internet. DISA probably would use its private network for voice and use the Internet for data, Nortel's Dunn says.

The FTC also is taking a pass on VoIP for external calling. External calls are converted to analog communications through the agency's gateway and sent via Verizon, the FTC's local and long-distance carrier. CDW-G is evaluating a potential move to a VoIP system with a different rate structure, Lanexang says.

Making a Case

Each decision to implement VoIP must be based on a compelling business case study. That should include a convincing return on investment, an analysis of whether the technology is consistent with the organization's enterprise architecture and a thorough security evaluation.

Commerce prepared a business case more than three years ago for its headquarters implementation of VoIP and developed a separate study for the Census Bureau. Any decision to expand the system further would be based on business cases developed by the individual bureaus, Pyke says.

Federal technologists and vendors believe the future of VoIP in government is bright. "VoIP offers many possibilities-e-mail to voicemail, fax to e-mail, voice to text, instant messaging and more," Dunn says. "VoIP is a growing offering in the world of convergence."

]]>

Network Anomalies

Karen D. Schwartz — Fri, 15 Jul 2005 00:00:00 -0400

Agencies can ward off hackers by finding pattern shifts before the damage is done.

Secretly, surreptitiously, a hacker has circumvented your computer system's security infrastructure, broken into classified files and shut down your network. Because the hacker was experienced enough to bypass your signature-based security methods, he was able to get what he wanted and bring your network to its knees before anyone even realized something was amiss.

Every federal agency has the requisite security-antivirus software, firewalls and signature-based protection such as intrusion detection systems-but none would have stopped this attack. Hackers keep up with the growing number of new methods to circumvent security.

Enter anomaly detection. Unlike traditional security methods, anomaly detection examines patterns of network use and the information that comes from those patterns. The data then is compared to expected norms to identify unusual or unauthorized activity. If anomaly detection had been used in this case, the hacker's methods and timing would have been compared to normal system usage, quickly determining that this user and his methods were unusual.

"The idea is to use technology to bring different data sources together and determine what's anomalous behavior-not because any one source is telling you that, but because there were multiple events that seem to be related, and when you draw rules against them or do some statistical analysis against them, they appear to be out of the norm," says Edward Schwartz, senior architect at netForensics Inc., an Edison, N.J., information security vendor.

Anomaly detection is best used when a large amount of traffic must be examined, says Carlos Blazquez, security operations manager at Telos Corp. in Ashburn, Va., which has implemented the technique for several federal agencies. "It ties together security and operations so you have the big picture and can determine what's normal behavior on your network. That way, you can observe behavior that's abnormal," he says.

Unlike intrusion detection systems-by far, the most common security method used by federal agencies-anomaly detection works in environments where the enemy is unknown.

"Attackers can turn your machines into servers that perform reconnaissance and command-and-control work associated with malicious code," Schwartz says. "For example, a machine that is normally a workstation might suddenly begin to act like a Web server or start transmitting thousands of megabytes of data outbound. [intrusion detection] won't pick up an outbound session like that if it's on a well-known port, but anomaly detection will take telemetry from firewalls, IDS, routers and switches, and specific anomaly detection devices and bring it all together, determining that combination of things constitutes an unusual occurrence."

Perhaps most important, anomaly detection takes time into consideration-a critical factor when trying to spot anomalous behavior. "It's about reaction time," says Adam Powers, director of technology with the advanced technology group at Lancope, an Alpharetta, Ga., anomaly detection vendor. "It's designed to quickly and effectively provide an early warning system for these new, undocumented attacks."

Active Monitoring

Anomaly detection is gaining converts mostly in the private sector, but it has many potential applications in the federal government, says Vance Hitch, chief information officer at the Justice Department. Hitch also is IT security and policy liaison for the Federal CIO Council. "We see it used in the financial services world, where anomaly detection can model and develop a working profile of how you use your credit card so it can detect when it's being used differently," he says. "Similarly, in the federal world, you could use it to monitor the different patterns of usage for each user-which files they access, what times they do it, the frequency of access-and flag when they start varying significantly from it."

Anomaly detection also can help agencies enforce security policies, says Damon Hopley, director of security and software at Enterasys, a vendor of secure network technology in Andover, Mass. "Most government agencies have acceptable usage policies that determine when employees should be logged out or avoid surfing the internal net, or whether FTP servers are run within the internal network," Hopley says. Some systems offer both passive and active monitoring, reacting and enforcing actions based on discovered anomalies or behaviors, he adds.

Some agencies already use some form of anomaly detection, but Hitch expects the technology to catch on as it becomes well-known throughout government and as more vendors incorporate it into their traditional security offerings.

So, is anomaly detection smarter security? "It gives the security team the ability to monitor areas of the network they couldn't previously monitor, so it's smarter with regard to the deployment methodology and detection technology," Power says. "It's a smarter approach to analyzing network conditions."

It's not only smarter, but necessary, according to Blazquez. "You always want to have additional layers of security and different ways of measuring what's going on, on the network," he says.

As with any technology, it makes sense to evaluate anomaly detection on a case-by-case basis, Hitch says. "One of the costs you have to weigh in using this kind of technique is the false positive," he says. You're basing your monitoring on a pattern of behavior over a period of time and looking for deviations from it. But if it turns out that the activity was acceptable, although way out of the norm, that's a cost.

"Usually, you would be willing to pay that cost for the added protection, but if it happens repeatedly, that wouldn't be a good application for anomaly detection," Hitch says.

]]>

Winds of Change

Karen D. Schwartz — Wed, 15 Jun 2005 00:00:00 -0400

Business rules management software helps agencies tame the onslaught of updates.

Finding the right property to house various federal agencies might not appear to be complicated, but realty specialists know differently. Not only does every agency have unique requirements, but every property leased by the federal government is subject to myriad rules governing its use.

Until recently, realty specialists at the General Services Administration used a complicated and often inaccurate system to find office space for agencies. When an agency's needs or federal regulations changed, notices were sent to the specialists via e-mail-so much varied information, in fact, that they often couldn't keep track of it. They usually ended up using outdated information.

For decades, agencies have managed complex decisions in much the same way-manually updating rapidly changing rules posted in aging legacy systems. That method increased the risk of error, led to confusion, wasted time and created obstacles for new employees in training.

A few forward-thinking agencies are turning to a new kind of system designed to standardize the process. Business rules management software enables quick and accurate changes to rules and regulations. The changes are automatically pretested to ensure they don't conflict with existing rules and then launched immediately throughout the system.

GSA is pilot-testing a system from business rules software vendor ILOG Inc. of Mountain View, Calif., to help realty specialists sort through frequently changing rules.

"A realty specialist looking for a lease in San Francisco, for example, will automatically bring up rules related to that area, such as seismic information," says project manager Arlene Graham. "If it's for the FBI, it might bring up requirements for bulletproof glass and other security rules, while if it's for the Social Security Administration, it might require a first-floor property accessible to the public." The system also will take into account governmentwide rules, such as the 1990 Americans With Disabilities Act.

But business rules management software can do more than that, says David Straus, a senior vice president at Corticon Technologies Inc. of San Mateo, Calif. The firm provides the Corticon Decision Management System to the Federal Aviation Administration and other government agencies, as well as to commercial organizations.

"Our best estimate is that no more than 5 [percent] to 15 percent of the decisions in a given organization are automated-complex decisions like which vendor to pick for a contract to simple decisions like whether you should approve an employee's vacations. BRMS works well for all types of organizational business decisions," Straus says.

By automating these decisions, he says, agencies not only can reduce costs by removing manual labor from the business process but can become more agile and minimize risks.

"Say you have a government agency doing workers' compensation. When you approve a workers' compensation claim you shouldn't have approved, you spent money you didn't need to spend," says Straus. "And on the flip side, when you fail to approve claims you should have approved, you open up the organization to litigation. The goal is to consistently make decisions-and make them correctly."

Many agencies are jumping on the bandwagon, turning to business rules systems such as those from ILOG and Corticon, and Blaze Advisor from Fair Isaac Corp. of Minneapolis.

The Federal Emergency Management Agency uses business rules software to provide faster validation to insurance companies for flood insurance, while the District of Columbia is using it to determine eligibility for Medicaid coverage or services from the D.C. HealthCare Alliance. And Washington state's Department of Social and Health Services is using the software to automate its growing number of policies and procedures for payments to third-party service providers.

The Veterans Affairs Health Administration Center in Denver turned to business rules management software to help process more than 6 million claims annually for four government programs.

"The health care benefits we provide to veterans and their dependents are guaranteed based on legislation. As these programs evolve, the rules used to process these claims also must change," says Peter Muller, chief of project coordination at the VA's Denver center.

Business rules software will enable VA to streamline claims processing, Muller says. Rules will be maintained and re-viewed from a central database, he says, so policy experts can focus on interpreting claims processing rules rather than keeping the system up to date.

Pierre-Henri Clouin, market development director for the public sector at ILOG, sees a significant increase in awareness, with recent feelers from agencies such as the Internal Revenue Service and the Justice Department.

"We started selling in the federal sector in 2002, and our initial approach was to go after any situation where we saw a functional need," he says. "But we're seeing people actually putting out requirements for BRMS instead of specifying their functional needs, which require us to try to fit BRMS into their situation."

Federal agencies' reliance on business rules and shared processes is burgeoning, leading to a natural growth in the software. "It's about greater agility, reducing operational costs and providing greater service to constituents with tightening budgets," Straus says.

]]>

Blueprints for Business

Karen D. Schwartz — Sun, 15 May 2005 00:00:00 -0400

Agencies struggle to get a handle on enterprise architecture planning.

Two years ago, the idea of developing an agencywide blueprint for running the Food and Drug Administration seemed impossible. Many of the agency's scientists were unfamiliar with how FDA's business processes worked, but senior managers were entrenched in those processes.

Nevertheless, following the federal mandate to implement enterprise architecture in 2002, the FDA got to work, naming Gary Washington chief enterprise architect. Reporting to the chief information officer, Washington heads the group planning how to manage the information necessary to operate the FDA and the transition to new technologies to respond to its changing needs.

At first, creating one template for the entire operation was a tough sell. But gradually, senior managers began to understand that it would improve work plans, work processes and work life. Today, the FDA is in the midst of full-scale enterprise architecture planning and implementation at headquarters and at each of its eight centers.

Washington and his team created a planning group that acts as a liaison between the operating and information technology departments to identify processes that could be standardized. The FDA also developed an online repository of information about enterprise architecture that's open to other agencies. The FDA and countless other agencies are making progress, but government and industry watchdogs say they could improve their planning to get quicker results. During the past year, reports from the Government Accountability Office and the Office of Management and Budget emphasized agency leaders' lack of understanding of enterprise architecture and a paucity of staff to make changes.

The biggest barrier is a lack of strong executive sponsorship, according to a recent report by the Enterprise Architecture Shared Interest Group of the Industry Advisory Council. The Fairfax, Va.-based council represents private sector organizations that sell IT products and services to the government. The group's report found that in many cases, planning is delegated to a chief information officer with little involvement by agency heads and senior executives after the initial kickoff.

"Understanding the performance of your program is fundamental to making decisions about it," says Dan Twomey, chairman of the Shared Interest Group and director of marketing for enterprise solutions at Altarum, a nonprofit research institute in Ann Arbor, Mich.

Ira Grossman, chief enterprise IT architect for the National Oceanic and Atmospheric Administration, agrees. "It's not necessarily understood outside of the engineering community. They don't see how it ties to the business strategy and mission goals. . . . They just see it as IT and money taken away from other things," he says.

The industry council urged OMB to require agencies to document plans for executive involvement and sponsorship, and ensure that resources are provided to maintain momentum. Many plans are not adequately funded, the council noted, recommending that OMB set guidelines for preparing and investing in enterprise architecture. "At NOAA, Congress wants a lot of this effort, but funding isn't necessarily there to have the appropriate staff and resources to get it all done," Grossman says.

Sharing lessons learned and best practices across government would help, the industry council noted. One place such information can be shared is the CIO Council's Chief Architects Forum, a group of federal chief architects. Grossman is the chairman. "It's a perfect example of where there are thoughts and ideas shared about what can be done to set up a repository of artifacts, documents, reusable lists-things architects can use and not have to re-create from scratch," says Mike Tiemann, Industry Advisory Council member and principal for enterprise architecture at AT&T Government Solutions.

A lack of clear and consistent guidelines has hampered enterprise planning across government, the council said, recommending a coordinated presentation on approaches to developing departmental plans. "The guidelines are pretty clear to someone involved with [enterprise architecture], but somehow we need to be able to communicate those guidelines better to others in a clear and concise manner," the FDA's Washington says.

The council called for more consistency and less redundancy between the enterprise architecture frameworks provided by OMB and GAO. "One is in left field and one in right field," Grossman says. "GAO's is more process-oriented . . . while the OMB model looks at products and deliverables."

Bill Wright, chief technology officer for Troux Technologies in Austin, Texas, which supplies the Metis visual modeling tool for enterprise architecture development, sees shortcomings across government. "They almost universally don't approach [enterprise architecture] with the same mind-set and discipline they might apply to a software systems development process," he says. "And they don't think of EA as a project with a mission and a charter and deliverables and measures. The whole idea is to treat EA as a series of incremental projects with measurable objectives."

]]>

The Power of Six

Karen D. Schwartz — Fri, 01 Apr 2005 00:00:00 -0500

The souped-up IPv6 promises the muscle and speed to track just about any agency asset through the Internet.

Imagine every communications device, airplane, tank, ship-and every working part on those planes, tanks and ships-had an Internet Protocol address, the proverbial license plate needed to traverse the information highway. If that were the case, any of those assets could easily be categorized, addressed, labeled, referenced and, most important, located.

That's government's vision, but getting there will take time, perseverance and a technological leap from Internet Protocol version 4 (IPv4) to the new and improved IPv6. An Internet Protocol is the set of rules by which data is sent from one computer to another. An IP address is four numbers set apart by periods, each number ranging from zero to 255. For example, 1.160.10.240 could be an IP address.

The expansive IPv6 provides much-needed additional IP addresses-enough to provide every asset with its own. IPv4 allows for 4.3 billion addresses, which goes a long way toward supporting the constantly growing number of devices such as computers and satellites, Global Positioning Systems and mobile phones. IPv6 will increase that number significantly.

The extra capacity is critical to the federal government. It would allow the Defense Department, for example, to create an address for every aircraft, each of the plane's subsystems and every one of its components.

"If you can address a component, then that component can report that it's going bad before it dies out, so you can plan its maintenance with minimum interruption," says Osama Mowafi, chief technology officer at SI International Inc., a Reston, Va., systems integrator that supports the Defense Information Systems Agency in the Defense transition to IPv6.

Benefits such as those prompted Defense to mandate a move from IPv4 to IPv6 by 2008. All new Defense technology purchases since October 2003 have to be IPv6-compatible.

Myriad other benefits of IPv6 will change the way organizations do business. The technology will break barriers to information-sharing, says Charles Lynch, chief of Defense's IPv6 Transition Office, spearheaded by DISA. "Every entity that needs to be reached, whether it's a PC, an automobile or an electronic component on an aircraft, will have multiple IP addresses," he says. "Each device can have addresses that permit only local access, creating a virtual intranet within an organization, or they can have addresses that have global reach."

IPv6 also will drastically reduce the time it takes to set up ad hoc networks in warfighting situations, thanks to a new feature called Neighbor Discovery. With it, "devices discover their neighbors and start setting up ad hoc networks by themselves, so warfighters would no longer have to take the time to set up a network between personnel, equipment and vehicles with trucks, antennas and phones," Mowafi says.

Information security will be enhanced because IPv6 requires Internet Protocol Security, a set of procedures for network security. "It will be possible to use the protocol to perform authentication and will permit every data flow to be encrypted," Lynch says.

Once IPv6 is fully implemented, government users will gain other capabilities, such as monitoring multiple assets in real time. "If geospatial addressing is used, for example, logistics items could be tagged with an address permitting users to track their location and movement," Lynch says. "Users would no longer have to wait for an item to arrive at a transfer station and be logged before they could identify its whereabouts and status." Some agencies already use such tracking systems, but IPv4 limits their capability.

The Army and Navy are moving toward IPv6, but other agencies and departments seem to have a wait-and-see attitude, watching Defense's progress. Those that have expressed interest include the departments of Homeland Security and Treasury, the Federal Aviation Administration and the Office of Management and Budget. The Office of the President sent employees to a recent conference sponsored by IPv6 Summit Inc., an organization that hosts symposiums on the technology for federal, business and technology leaders.

"All of these agencies will convert to IPv6 at some point and realize the same usability, flexibility and deployability capabilities version 6 brings to the market," says Rod Murchison, senior director of product management in the security products group of Sunnyvale, Calif.-based Juniper Networks, a networking and security solution provider .

Today, the Defense IPv6 Transition Office is defining milestones, identifying specific IPv6 functions needed at each stage and developing specifications that will allow various states of IPv4 and IPv6 to interoperate. The lessons learned will be available to agencies that request them, Lynch says

Chief among the risks of Defense's transition is the department's dependence on commercial products-they must be IPv6-capable. One of the toughest challenges will be moving to compatible applications.

That might be only the tip of the iceberg, says Bruce Fleming, divisional technology officer for Arlington, Va.-based Verizon Federal Network Systems. "All this is uncharted territory," he says.

]]>

Eye on Security

Karen D. Schwartz — Sat, 01 Jan 2005 00:00:00 -0500

Directives on securing agency networks have pushed compliance from 26 percent to 70 percent in three years.

By now, chief information officers throughout the federal government clearly understand the importance of network security. Between the 2002 E-Government Act and the President's Management Agenda, and the relentless quarterly evaluations by the Office of Management and Budget, no agency is immune to the constant quest for more effective network security. It can only become more important as large contracts consolidate and integrate telecommunications throughout government, making interconnections between systems more complex and vulnerable. Consider, for example, the Federal Technology Service's Networx or the Homeland Security, Justice and Treasury departments' joint Integrated Wireless Network.

To ensure that networks are secure, agencies must comply with the Federal Information Security Management Act, which is part of the

E-Government Act. FISMA sets guidelines for making federal networks secure, with the goal of zero downtime and zero incidents that interrupt agency business. The bottom line is to ensure that networks are available and that data is confidential and reliable.

FISMA has done a great deal to impress the importance of network security on agencies, and many have made great strides, says Karen Evans, administrator of OMB's Office of E-Government and Information Technology.

But even with compliance on the rise, there is much more to be done. For the past two years, OMB has focused on getting 90 percent of agencies' systems certified and accredited-a goal it has yet to reach. In the summer of 2004, Evans says, about 70 percent were secure. Although that number fell short of the 90 percent goal, it was drastically better than the 26 percent compliance rate of three years ago, she notes.

Evans says federal leaders should first realize that there is no "one thing" agencies can do to reach their goal. Instead, as explained in FISMA, security is about implementing a methodical, risk-based approach.

"That means every management decision you make has to be risk-based and cost-effective," Evans says. "Every recommendation you make is a balance of how much risk you're willing to take to provide that service."

The Transportation Department is ahead of the curve on network compliance. Getting there hasn't been easy, but the hard work is paying off, says Lisa Schlosser, the agency's chief information security officer and associate CIO for investment management.

From a management standpoint, success rests on executive leadership and buy-in, Schlosser says. Transportation leaders made FISMA and other OMB security requirements part of the performance plan and performance metrics to ensure compliance down the line.

As challenging as the managerial side of the equation may be, the technical side is far more complex. The National Institute of Standards and Technology has developed Federal Information Processing Standard 199, a security categorization that should be the first step in risk assessment, says Ron Ross, NIST's project leader for FISMA implementation. The standard helps agencies categorize each system in terms of having a low, medium or high impact on the agency's mission. "It allows agencies to focus their scarce information security resources in the most important areas," he says.

NIST has developed other security-related guidelines building on FIPS 199. One will define the security controls needed to protect each category of system, Ross says.

Commercial software can greatly help network security. With an automated vulnerability remediation or scanning tool, for example, agencies can conduct enterprisewide vulnerability scanning.

"If you are going to invest in any tool to improve your program and minimize your network risks, implement an enterprise vulnerability testing and remediation software solution," she says. "They aren't that expensive, and you get the most bang for your buck." In fact, two are free-Nessus (www.nessus.org) and Microsoft Baseline Security Analyzer. These can help agencies discover all devices on a network, many of which they might not have known existed, says Jeff Harrell, product marketing manager at nCircle, a San Francisco-based provider of vulnerability management solutions, such as the FISMA Compliance Solution. Other vendors offering FISMA compliance tools include AppScan, WatchWire, Preventys and BindView.

"Once they know what's out there, they can find out what kind of shape they are in and what kind of vulnerabilities they have, and then compare that information to the policies they set in place," he says. "For example, maybe all your Windows machines should be running Microsoft XP ServicePack 2. This type of software would show you that all your machines are running ServicePack2 except five. Then you can fix those machines."

Other vulnerability remediation tools include QualysGuard from Qualys Inc., Class 5 Automated Vulnerability Remediation (AVR) from Secure Elements Inc., Hercules from Citadel and McAfee's Entercept.

Tools that check security configurations are useful in setting the required baseline configurations on all technology. These are free from the Center for Internet Security (www.cisecurity.org), as well as from Microsoft and others.

To track progress on FISMA metrics, the Transportation Department uses an enterprise security portal, which provides a "dashboard" approach. "I can sit at my desk . . . and determine where we were last week in meeting our certification and accreditation goals all the way through which assets are being patched and which aren't," Schlosser says. Vendors offering enterprise security portals include LURHQ and NetForensics.

Evans believes using FISMA compliance tools, studying the regulations and applying old-fashioned diligence will go a long way toward increasing the level of network compliance. "This year's goal again," she says, "is to have 90 percent of all IT systems properly secure."

]]>

Portals in the Storm

Karen D. Schwartz — Wed, 01 Dec 2004 00:00:00 -0500

Geographic information systems helped brace Florida officials for this year's spate of hurricanes.

By the time a natural disaster hits, it's usually too late to set up the processes needed to adequately protect citizens and the environment. Florida officials have learned that lesson the hard way after their share of major storms-such as the devastating Hurricane Andrew in 1992-floods and other natural disasters. They know that surviving such a catastrophe is contingent on gathering the right people with the right knowledge, accessing and disseminating the right data, and using the right technology.

Now Florida coordinates all disaster preparation and recovery through its statewide emergency operations center, under the Division of Emergency Management. The center gathers geographic and other data from federal, state and local organizations to arm Florida's first responders with the information they need to protect citizens and infrastructure.

But even with their experience, Florida officials were taken aback by the speed and force with which hurricanes Charley, Frances, Ivan and Jeanne pounded the southeastern United States. They had to scramble to predict what was likely to occur so they could gather and deploy the appropriate rescue teams and supplies.

The months-long effort to collect the data that is critical to such analysis was the result of two key components-a knowledgeable geographic information systems coordinator and effective GIS technology. Without them, the state wouldn't have weathered the recent rash of hurricanes nearly as well as it did. The coordinator runs the emergency operations center, supervising analysts who use GIS software to track storms and to assess their damage. After analyzing the information collected, the GIS coordinator determines what actions should be taken, including pinpointing high-priority areas and communities, dispatching rescue teams, and supplying food and medicine.

Leading the effort was Carla Boyce, pulled at the last minute from her job as a GIS coordinator and environmental specialist for Florida's Environmental Protection Department to replace the emergency operations center's GIS coordinator, who had recently left the position.

To prepare for the pounding Florida was likely to receive, Boyce put her training garnered from years as a firefighter and paramedic to good use. She knew that to be able to assess damage before it occurred and determine which populations and areas were at highest risk, she had to gather as much geographic data from as many sources as possible. She first went to federal sources, pulling real-time data from the U.S. Census Bureau as well as high-resolution imagery and other data from the Federal Emergency Management Agency, the National Oceanic and Atmospheric Administration, the National Weather Service and the U.S. Geological Survey.

The center gathered information from state and county organizations, including the Florida departments of Environmental Protection and Health, and the Fish and Wildlife Conservation Commission, among others.

Before the hurricanes, the team turned to FEMA's HAZUS-MH risk assessment software powered by the ArcGIS engine from ESRI of Redlands, Calif., to model potential damage and plan its response.

During Hurricane Charley in August, the team used HAZUS-MH to determine how many elderly people and young children might be affected by the storm. "When Charley was headed over areas with huge populations of people 65 and older, who were economically disadvantaged and couldn't afford to evacuate, we were able to order truckloads of Ensure and other products. But when the storm changed and went to an area with an increased [0- to 5-year-old] population, we were able to catch it soon enough to redirect our efforts to send baby formula and diapers," Boyce says.

The team used GIS tools to evaluate the data it collected before and during the storm. The center mostly used ArcGIS, but MapGuide from Autodesk Inc. of San Rafael, Calif., was the backbone for Web sites providing flood maps, evacuation routes and shelter locations. MapGuide helped emergency workers monitor evacuation routes among flooding or debris, says Jon Hansen, Autodesk's manager of emergency response solutions.

To combine other information and intelligence, "We used the duct tape/sledgehammer method," Boyce says, "where you sledgehammer the Lotus Notes Tracker system into Microsoft Access by way of Excel and duct tape it all together so it talks to the ESRI software." The team also used ESRI's ArcPad StreetMap and XMap software from DeLorme of Yarmouth, Maine, to demographically characterize various locations.

This array of technology enabled the team to determine which populations were in Charley's path-especially critical segments such as the elderly or sick. The information was used to create maps for emergency teams. Each team was assigned a particular issue, such as health, which focuses on hospitals, nursing homes and at-risk populations.

The emergency operations center's efforts didn't end when the hurricanes abated. In fact, the team put considerable time and effort into using GIS technologies to handle the aftermath. The team analyzed information from the National Weather Service, water management districts, FEMA and other sources to assess damage and determine how to handle floods and other effects of the storms.

Boyce says she has learned quite a bit about what to do-and what not to do-next time. Trying to ensure the health, status and source of all data prior to a disaster and using downtime to search for missing data pieces and produce maps is critical, Boyce says.

But she wants to coordinate statewide disaster efforts with the counties, many of which operated independently during this year's rash of storms. Pinellas County, for example, operated from its own emergency operations center, identifying evacuation routes, shelter locations, flood predictions and power outages.

Without GIS technology, the Florida emergency operations center's job would have been much more difficult, if not impossible, Boyce says.

"The need for a concerted GIS/information management response was critical to serving the needs of victims and potential victims, as well as providing natural resource protection, water quality protection, and assessment of potential and actual impacts," she says.

]]>

Private Eyes

Karen D. Schwartz — Mon, 01 Nov 2004 00:00:00 -0500

Visual analytics tools sharpen real-time video detection systems.

When two terrorists detonated a bomb near the hull of the USS Cole in the Yemeni port of Aden, nobody saw it coming. That tragedy, in October 2000 in the Arabian Peninsula, killed at least 17 Americans and injured 35 others.

Similar situations could be being prevented every day now, thanks to sophisticated visual analytics software that allows law enforcement and intelligence personnel to analyze the movement of people and objects with greater detail than ever before. This real-time technology provides security for critical infrastructure by allowing analysts to detect and classify objects under surveillance, search for breaks in expected patterns, and create policies specifying exactly what should be searched.

Hundreds of cameras can be distributed around a facility-a border, seaport, airport, or other perimeter. Video is continually processed and sorted, and people are tracked as they move from one camera to the next.

"That way, if there is an incident, all of that information has been recorded, so you can go backward to see how a person moved through a facility and who he met with," says Peter Burt, chief scientist at Arlington, Va.-based Pyramid Vision, which develops visual analytics tools for the security and surveillance markets.

Consider this typical scenario: A man walking through an airport quickly disappears into the crowd. The airport security team, suspecting foul play, consults its computer system, which has tracked the man's movement during the past 30 minutes and predicts where he is likely to go next. Within seconds, the security team knows whether the man poses a threat and can take appropriate action.

No End in Sight

The growth of visual analytics software over the past few years has been staggering, thanks to the increased needs of law enforcement and intelligence organizations and an explosion in technology advances.

Federal agencies are eager to exploit the ever-growing capabilities of this software. The Navy, for example, has implemented the Security Data Management System from VistaScape of Atlanta to protect ports and airfields in San Diego. The Navy now can track and detect would-be intruders and notify security personnel with enough advance notice to take evasive action. The Navy's solution uses infrared thermal imaging, which allows analysts to track movement in light or darkness and in a variety of weather conditions.

By clicking and drawing on an aerial photograph on a computer screen, operators can establish an "invisible fence" around naval vessels. The fence area is covered by cameras continuously detecting and feeding the results of surveillance to a screen and signaling the operator when a breach occurs.

"It's almost like a Pac-Man screen where you see objects moving all around in real time," says Vista-Scape CEO Glenn McGonnigle. "Establishing a virtual barrier is a matter of pointing and clicking."

Similarly, the Homeland Security Department's Customs and Border Protection bureau installed video surveillance from ObjectVideo of Reston, Va., along the Canadian border. Because many roads crossing into the United States weren't staffed 24-7, the agency first invested in standard video motion detection technology, but encountered hundreds of false alarms daily because the system misjudged trees, heavy snow and other objects as threats. In 2003, agency officials installed visual analytics software, which allowed them to define specific security rules and receive instant notification when those rules were broken.

Visual analytics software monitors specific acts in real time, while related forensics software allows organizations to analyze the movement of people and objects by searching archived video, much like they can search text.

Such capability would have been helpful in complex investigations such as the recent Washington sniper case, notes Alan Lipton, ObjectVideo's chief technology officer. In 2002, 10 people in Washington, Maryland and Virginia were slain in random shootings. Police and law enforcement agencies spent weeks looking through thousands of hours of video from gas stations, parking lots, department stores and traffic management cameras searching for a white van they suspected was involved in the shootings. Later they realized they should have been looking for a blue Chevrolet. Two suspects eventually were arrested, and both were convicted.

With video forensics, "They could have pre-analyzed all of that video quickly," Lipton says. "They could have asked in real time to see all instances of white vans, and when they realized they were looking for a blue Chevy, they could have quickly changed course. And they could have done it all in a matter of hours."

Although today's video analytics software is light years ahead of where it was two years ago, much more can be done. Advances could include teaching the system to notice someone walking in an unnatural fashion-perhaps because he has a bomb strapped to his leg-or to detect that a person has gone from a vertical to a horizontal position, indicating that he might have been injured.

Perhaps the biggest breakthrough will come when visual analytics tools can watch extremely large amounts of video over wide ranges of space and time.

"If one truck breaks down in a tunnel in Manhattan, nobody would think much of it. But if you have cameras monitoring every bridge and tunnel in Manhattan, and you can see that trucks are breaking down simultaneously in every bridge and tunnel, a computer could make that connection," Lipton says. "All of a sudden, what looked like an isolated event might be a coordinated attack."

]]>

Straight Talk

Karen D. Schwartz — Fri, 01 Oct 2004 00:00:00 -0400

SAFECOM is helping public safety agencies find better ways to communicate during an emergency.

As recently as a few years ago, Vermont state troopers trying to catch a suspect in a high-speed chase could be thwarted simply because they crossed a county line. Once over that line, the troopers' radio system loses contact with law enforcement officers in other jurisdictions. In California, officers from the highway patrol and the sheriff's department, chasing the same suspect, had to drive next to each other with their windows rolled down and shout their instructions.

These far too common examples illustrate the challenges public safety agencies face trying to work together in the post-Sept. 11 world.

To avoid calamities, public safety operations at all levels of government must achieve the interoperability needed to handle a catastrophic incident, something the size of the Sept. 11 attacks, says David Boyd, deputy director for systems engineering and development at the Homeland Security Department. "We want to make it possible for any public safety officer in any emergency to communicate with whoever they want to, whenever they need to, when properly authorized to do so," says Boyd, who is director of the agency's SAFECOM program.

Established in spring 2002 and approved by the President's Management Council as a high-priority e-government initiative, SAFECOM promotes better technologies and processes for cross-jurisdictional and cross-disciplinary coordination of public safety communications. It develops standards, provides training and technical assistance, develops and evaluates technologies, and coordinates guidance to agencies that provide grants for communications and interoperability.

As ambitious as SAFECOM is, the initiative and its supporters face significant challenges.

One of the most notorious is the age and incompatibility of much of the communications equipment used by public safety agencies-some of it as much as 40 years old. SAFECOM is working to ensure that interoperability is a fundamental part of planning for new equipment purchases. By tying those requirements to federal grants, Boyd believes the issue gradually will be resolved as old equipment is replaced by new.

A second challenge is the lack of available spots on the radio spectrum needed to transmit public safety communications. A few years ago, public safety agencies gained access to additional spectrum, but more is needed. The Federal Communications Commission, which regulates the satellite airwaves serving a multitude of industry, military and government consumers, is working to identify a way to quickly free up more spectrum, Boyd says.

SAFECOM also must address the limited and fragmented way that emergency communications are funded in state and local agencies. Some funds come through federal block grants and others from local communities. SAFECOM has developed guidance for grants that enables agencies to upgrade systems more easily. And SAFECOM, along with the Federal Emergency Management Agency and the Justice Department, developed the Interoperable Communications Grant Clearinghouse to eliminate duplication of funding and evaluation efforts, coordinate the application process, and maximize limited funding and resources.

Another roadblock is a lack of adequate equipment standards. What, exactly, is a perfect system? "Ideally, it would be like a desktop computer, where you can get a piece of equipment and know that it will work, at least at some basic level," Boyd says. SAFECOM, with the National Institute of Standards and Technology, has produced temporary requirements, including the testing of radios for compliance with FCC specifications, but Boyd says it will take a few more years to develop and implement mature standards.

SAFECOM is encouraging industry to use common platforms in developing communications equipment to eliminate proprietary barriers. "Part of the difficulty we've had over the years has been the existence of proprietary protocols and technologies, which make it difficult for anyone to build things that work with it," Boyd explains. "That means that instead of gradually upgrading a system, you'd have to replace everything in one fell swoop."

Probably the greatest test is the human aspect. "Causing people to rethink how they are doing things sometimes threatens turf or existing structures, so the first and most important thing you have to work on is how to cause the community to want to work together," Boyd says. "You have to develop a process that doesn't appear to be the federal government telling you what you have to do, but a system that is designed to start at the lowest level. It's got to be a bottom-up driven approach." These challenges may be daunting, but people have become much more willing to accept change since 9/11, Boyd says. The federal government has followed through on the initiative with $150 million in grants in 2003, half from Justice and half from Homeland Security and FEMA. That's in addition to the roughly $4 billion per year in block grants to the states.

SAFECOM seems to be on track. It has created a governance process and has the support of major public safety organizations such as the National League of Cities, the National Association of Counties, the Association of Public Safety Communications Officers, the U.S. Council of Mayors and the National Public Safety Telecommunications Council. It also created the Federal Interoperability Coordination Council, which promotes coordination among federal entities involved with public safety. In addition, the initiative has integrated the Public Safety Wireless Network Program, which fosters interoperability among public safety wireless networks, and sought information from industry on technology concepts and existing or underdeveloped products or services that could generate compatible systems.

In the near future, SAFECOM plans to develop an interoperable communications center and grants clearinghouse on the Web that will help public safety organizations identify the best tools for their jurisdiction, develop technical assistance publications, continue developing appropriate standards, and work with the joint Justice and Homeland Security 25 Cities Project to make the top 25 high-threat metropolitan areas interoperable.

These steps are all positive, but solving the interoperability challenge will take time, says Karen Evans, administrator for electronic government and information technology at the Office of Management and Budget. Last year, Evans stressed the importance of SAFECOM's goals in testimony before two House Government Reform subcommittees.

"While great strides have been made toward improving interoperability for our nation's first responders, this is not a problem that can be solved overnight-or even in a year or two," she said.

In fact, even as government works hard to improve wireless communication systems, a critical mass of interoperability throughout the country might take another 20 years, Boyd says, because of long equipment life cycles and constantly changing standards.

]]>

The Big Picture

Karen D. Schwartz — Wed, 01 Sep 2004 00:00:00 -0400

Portfolio management tools give agencies a leg up on information technology investing.

Like many federal organizations, the Navy operated for years as a decentralized institution-a model thought to provide significant agility and efficiency for both government and its citizens. But as Navy leaders are finding during the implementation of the multifunctional Navy Marine Corps Intranet, decentralization comes at a high price.

In the Navy's case, as the hard work of consolidating services and offerings into one enterprise network got under way, it became painfully clear that the mammoth organization operated tens of thousands of applications-many of them redundant or outdated.

"The problem is that great, innovative minds build innovative solutions but [do so] locally, creating duplication of effort," says Navy Chief Information Officer David Wennergren. "And as you begin to look at how best to spend your money, you find you just can't afford that duplication."

It was at that point, Wennergren says, that Navy leaders finally understood that the only way to meet its mandates of spending more wisely and serving citizens most effectively was to pare back to the most efficient systems.

Increasingly, the Navy's experience is becoming common. The Office of Management and Budget and the Government Accountability Office, along with Congress, have issued mandates and regulations in recent years designed to encourage agencies to manage information technology assets more effectively by standardizing requirements.

The momentum started building in 1996 with the passage of the Clinger-Cohen Act, designed to eliminate redundant systems and to ensure that IT resources are used effectively. Among other things, the law calls for the implementation of a "portfolio investment process" so measurements can be tracked.

OMB also got into the act with its revised Circular A-130, published in 2001. It requires agencies to outline the criteria used to choose IT investments along with the methods they will use to control, manage and evaluate those investments.

GAO bolstered these efforts last year by developing the IT Investment Management Framework, which provides a common structure for assessing IT capital planning in all agencies as well as a full definition of the critical management processes.

Wrapping everything together is the Federal CIO Council's Best Practices Committee, which has written a guide to practices and lessons learned in portfolio management, and is working on a survey to assess agencies' progress. It also is setting up a best practices exchange on the Federal CIO Council Web site, www.cio.gov, where agencies can explain their tools and processes, says Wennergren, who also is co-chairman of the committee.

Knowing What You Have

To meet oversight goals and requirements, agencies must tally their systems and functions, and understand how each works and where overlap exists. For many years, that difficult task was laboriously performed manually, with varying degrees of success. Often, this seat-of-the-pants approach led agencies to duplicate programs or systems.

Today, agencies are turning to increasingly sophisticated portfolio management solutions.

True portfolio management is a combination of technology, processes and analysis, providing ways to delve both vertically and horizontally into an organization. The goal is to create a common understanding of what is owned, allowing leaders to make informed choices about which processes, functions and programs to keep and which to phase out.

Portfolio management allows IT departments and business organizations to learn more than just which IT projects are being requested and funded, says Jim

Rinaldi, the Food and Drug Administration's chief information officer. "It gives us more analytical capability and shows promise in helping us change how we invest, so it's easier to determine investments that are similar and those that can be merged or reduced," he says.

Better commercial tools for portfolio management have made this process infinitely easier. Market leader ProSight of Portland, Ore., which aims to give leaders the information they need to make more informed decisions about technology portfolios, has won customers at the U.S. Mint and departments of Veterans Affairs, Health and Human Services, Treasury and Homeland Security.

The FDA is using a combination of three tools. Analysts use Microsoft Project to gather information about what each IT system is used for by various organizations within the agency, while ProSight captures data related to a specified set of tasks and compares information on various projects. Metis, a visual modeling tool for enterprise architecture from Computas of Sammamish, Wash., is the third tool, recording the rules a business unit sets up and allowing those rules to be standardized throughout the agency.

Authorized employees can use Pro-Sight to view a dashboard with information from Metis to determine the financial and operational risks of a given investment and how much of the budget that investment takes up.

"In the past, there was so much information that executives had a hard time digesting [it]," says Rod Bond, director of the strategy and planning staff in the FDA's CIO office. "Now we can look across our different investments and find ways we can combine them and maybe save money."

The Navy has combined the concept of portfolio management with the creation of IT functional area managers, each of whom leads a single area such as logistics, personnel or acquisition. Functional area managers use portfolio management tools to choose which software and other applications they want to make available to users of NMCI. The Navy uses a variety of portfolio management tools, including the custom-developed Department of Navy Application and Database Management System.

The processes seem to be working. The Navy started with 100,000 applications for a variety of functions such as logistics, personnel and acquisition, migrated down to 60,000, and then to 38,000 over the past two years. "We're now down to a set of about 5,000, and we continue to work that down even further," Wennergren notes.

Although the benefits are significant, setting up a full-fledged portfolio management solution is challenging. Not only does it take time and money, but it may require special training.

The biggest challenge often is cultural. "It's hard for system owners to accept because they see their systems being compared against others. It can cause them to get defensive," Bond points out.

To help ease the transition, he recommends starting with small wins. Gaining converts slowly, especially among executives, can show the benefits of portfolio management. "It's important to know your culture," he says.

As oversight organizations continue to push federal agencies to manage assets more effectively and tools continue to develop, more agencies will embrace portfolio management.

META Group, a Stamford, Conn., consultancy, believes that the portfolio management tool market, which totaled about $85 million in 2002, will reach $480 million by next year.

Greater functionality also will contribute to greater adoption, says John Cimral, ProSight's chief executive officer. He says more sophistication in collaborative analysis as well as the ability to perform scenario generation and impact analysis will attract more customers to portfolio management.

"You'll be able to have an automated system that can look at changes OMB is requiring and come back with a coherent response within two days that reflects portfolio management thinking," he says. Cimral also predicts that over time, enterprise architecture and outsourcing and security management also will be better integrated into portfolio tools.

]]>

Piecemeal Watch List

Karen D. Schwartz — Tue, 01 Jun 2004 00:00:00 -0400

Painfully slow progress hinders master database of terrorist suspects.

Everyone agreed the idea was a good one-a comprehensive list of up-to-date information from a variety of agencies that would prevent terrorists from entering the United States. But execution of this list has been far from smooth.

As envisioned by President Bush, the terrorist watch list would be developed by the Homeland Security Department during its first 100 days. The aim was to integrate lists from about a dozen agencies into a single, searchable inventory by December 2003.

Progress, however, was slow and laborious. In April 2003, Homeland Security Secretary Tom Ridge testified before the Senate that his department was "accelerating consolidation of watch lists."

Following that testimony and a spring 2003 General Accounting Office report that stated the government still was using 12 separate lists maintained by nine federal agencies, Sen. Joseph Lieberman, D-Conn., called on Bush to issue an executive order directing that all terrorist watch lists be consolidated by December 2003.

The order was given in September 2003, stipulating that the FBI's Terrorist Screening Center would now lead the project. Under the order, the center would act as a hub for terrorist screening data, and would incorporate a 24-7 call center, access to coordinated law enforcement, and a formal process for tracking encounters.

Although December 2003 came and went without a fully functional list, those close to the process say that progress, while slow, is being made. On March 25, Donna A. Bucella, director of the screening center, testified to several House subcommittees that the TSC had met its goal and begun operations by Dec. 1, 2003. She noted that since its opening, the center now answers calls and coordinates activities with other agencies, and has revoked dozens of visas.

But Lieberman and others decry the fact that the center is not fully functional. Although most lists are in one place, not all data is accessible or complete, notes a Lieberman staffer. In addition, crucial Defense Department data has not been incorporated, causing large gaps in information, the staffer says.

Bucella also noted in her March testimony that full rollout would occur in three phases. Phase 1, which makes names of terrorists and other identifying information available, has been completed, she said. Phase 2, which was completed on March 1, included the development of the Terrorist Screening Database, which contains identifying information of known or suspected terrorists. Bucella says that Phase 3, which concludes at the end of 2004, adds development of a more dynamic database and a single, integrated system for ensuring known or suspected terrorists' identities.

Although the process is taking longer than many would like, it's necessary to use good architecture principles to ensure that the terrorist watch list remains usable and maintainable, says Tim Keenan, president of High Performance Technologies Inc., a Reston, Va., company that developed the enterprise architecture for the Homeland Security Department.

"I think it shows great courage to stay the course considering the heat they are getting, and to actually figure out which systems currently do what, how they do it, and then step back and more intelligently decide the best way to automate the processes," Keenan says.

But Lieberman and others, including Rep. Jim Turner, D-Texas, ranking member of the House Select Committee on Homeland Security, believe the project's constant problems are a result of passing the buck. After 9/11, Bush gave the White House Office of Homeland Security responsibility for the project.

In July 2002, control was shifted to the FBI. Soon afterward, responsibility reverted to the White House, then to the new Homeland Security Department, and finally back to the FBI under the auspices of the new Terrorist Screening Center. It is that type of back and forth, they say, that has hindered progress.

And to make the watch lists truly effective, Lieberman's office also calls for including the Transportation Security Administration's no-fly list of potentially dangerous passengers developed with the help of airlines. That list is not part of the watch list, according to a Lieberman staffer.

Critics believe the project is far from fruition.

"We've come a long way, but we have a long way to go before we fulfill the promise to adequately secure the safety of the American people," Lieberman said in a March 2 statement. "The truth is, we have no more urgent priority."

]]>

Tag Team

Karen D. Schwartz — Sat, 01 May 2004 00:00:00 -0400

Defense perfects its inventory handoffs with RFID technology.

In the world of retail, efficiency is the name of the game. Powerhouses such as Wal-Mart have succeeded largely because of their smooth supply chains. They are about to raise the stakes for everyone else by requiring that top suppliers begin using radio frequency identification (RFID) tags on their pallets and cases of inventory by early 2005.

Defense Department officials see enough similarities between the logistics operations of retailers like Wal-Mart and Target and those of the U.S. military to pin their hopes on similar benefits. The department is using RFID tags to improve the speed and accuracy of crucial supply deliveries to U.S. military personnel.

"We've been using bar codes for decades to improve the quality of data entry, but this was an opportunity to apply a new technology-passive RFID technology-to improve the quantity of our data and the timeliness of data availability," says Ed Coyle, chief of Defense's Logistics Automatic Identification Technology Office. "That's exactly what we need for an agile force."

"It's about making sure everyone gets what they need when they need it," says Alan Estevez, assistant deputy undersecretary for supply chain integration. "If I know what I'm moving and where it is in the pipeline, that either precludes me from reordering it, or having to fly it, if I know where it is. And it helps me manage my inventory better, which translates into better use of dollars."

RFID uses radio frequency waves to identify objects or people. An RFID system consists of two basic components-the tag itself (also called a transponder) and a reader, which consists of an antenna and transceiver that reads the tag.

There are two types of RFID systems-passive and active. The battery-powered active RFID system allows tags to remain powered continuously. Tags receive low-level RF signals, which in turn can generate high-level signals back to the reader. Active tags can transmit information up to 300 feet, and have a large data capacity. Active tags are expensive-up to $100 each-so the military tends to use them only on large pallets or cargo containers, says David Stephens, a senior vice president at Savi Technology, a Sunnyvale, Calif., supply chain integrator that has implemented RFID systems for the Defense Department.

Passive tags, on the other hand, are powered from the reader. These tags are much less expensive, but can be read only at short range and contain a small amount of data. They are akin to a license plate, which contains basic information needed to gain access to a larger database. Now as little as 40 cents each-with prices still falling-these tags work best in tracking separate smaller items throughout the supply chain, says Alan Melling, senior director of EPC solutions for Symbol Technologies Inc., an RFID vendor in Holtsville, N.Y.

Ready or Not

The Defense Department issued a policy memo on Oct. 2, 2003, requiring suppliers to affix RFID tags to products by 2005. The memo endorsed both types of RFID, but encouraged officials to reserve active RFID tags for large items such as tanks and consolidated shipments-much as they did in Operation Iraqi Freedom.

"If I've got hundreds of different shipments inside a container all going to different units in the field, I can use an active RFID tag, which lists the manifests of all of the different shipments inside that container," Estevez says. "When the tag, which is on the outside of the container, passes a reader, I can tell where that box or air pallet is at different segments of its journey."

The Defense Department's focus is mainly on expanding the use of passive RFID tags. They will be used to manage inventory as it enters supply and distribution centers and then as it moves from those facilities to military forces and industrial activities. As they are activated, the tags will automatically update the appropriate inventory management systems.

Using more passive RFID tags gives the department better visibility of its assets without human intervention. They're more efficient than the frequently used bar code system, which requires scanning of each item individually, Estevez says.

"You can run the same item over a bar code scanner 10 times, and it will think you've just moved 10 items," Estevez says. "But with RFID tags, you just run them through the reader and it automatically checks in everything on that pallet, saving you time and effort while increasing accuracy."

All branches of the military are pursuing uses for passive RFID technology-some in response to the Defense Department memo, and some on their own.

The Army Materiel Command's Combat Feeding Directorate is working toward using the technology to transport food sent to troops in Iraq and Afghanistan. In a test, passive tags were applied to cases and pallets and moved through a simulated end-to-end supply chain to see how much data could be captured and what obstacles might be encountered.

For the full rollout, manufacturers will place passive RFID tags on cases of Meals Ready to Eat. As the MREs are loaded onto pallets or into 20-by-40-foot shipping containers, the tags will create an electronic manifest. The containers will be shipped to a Defense depot or a theater distribution center overseas, where receivers can read the tags to identify the contents. Officials expect to have the system up and running at key sites by January 2005.

"It will be a great benefit to be able to interrogate a shipment and identify the products or cases without having to physically look at those cases," says Chief Warrant Officer Stephen Moody, a food scientist at the Combat Feeding Directorate, located at the Natick Soldier Center in Massachusetts.

The Navy is working on several implementations of RFID technology. In one case, the tags will be used for a special kind of cargo-the human kind. Coordinators of the Navy's Tactical Medical (TacMed) Coordination System are experimenting with using passive tags as tracking devices for casualties.

Soldiers would wear RFID tags containing basic demographic information around their necks, much like standard dog tags, says Michael Stiney, the TacMed Coordination System program manager at the Naval Aerospace Medical Research Lab in Pensacola, Fla. A health care worker would then scan the tag, upload the information into a hand-held device, and make a few quick entries on the tag about the soldier's condition and care.

If the appropriate communications devices are available, then the health care worker would transmit that information to a central database, making it available to others. If the equipment is not available, then the information recorded on the RFID tag would travel with the soldier to the next point, where it could be transmitted.

The experiment has been a great success at a fleet hospital in Iraq. Since RFID tags have not been issued to every soldier and Marine, the concept is limited to tracking casualties within the 118-bed fleet hospital. Patients were issued tags at check-in, and their tags were updated as they received care.

Once the system is fully implemented, Stiney expects it not only will speed treatment and improve accuracy, but also give planning information about bed space.

Now that prices have fallen, standards are under way and the Defense Department is expanding its use of passive RFID, civilian agencies are exploring ways to use the technology.

The Transportation Security Administration is experimenting with RFID tags on luggage arriving at airports. McCarran International Airport in Las Vegas is at the forefront with its RFID-based tracking system. If McCarran and other test sites are successful, TSA officials plan to gain some economies of scale by buying RFID tags in volume, says Buzz Cerino, TSA's communications technology lead.

For now, the Defense Department is the biggest proponent of RFID technology in the government-and with good reason, Coyle says. "Our goal is making sure information about supplies supports the logistics decision-makers," he says. "This technology is one of the keys to transformation, and we're transforming logistics in the Defense Department."

]]>

Keeping Planes Safe

Karen D. Schwartz — Thu, 01 Apr 2004 00:00:00 -0500

Homeland Security is spearheading a two-phase technology program to stop potential attacks on commercial aircraft.

ince 9/11, the U.S. government has struggled to find the most effective ways of dealing with terrorist attacks on every front-air, land and sea. While the Transportation Security Administration is working to implement sophisticated technology and procedures to secure borders, the Homeland Security Department has spearheaded ways to stop potential attacks on commercial aircraft.

Congress got a wake-up call in the fall of 2002, when terrorists believed to be connected with al Qaeda fired small portable weapons called MAN-Portable Air Defense Systems, or MANPADS, at an El Al plane taking off from a Kenyan airport. Congressional committees held hearings last year to discuss ways to protect commercial aircraft from missile attacks like this. From those hearings came legislation that would require equipping commercial planes with antimissile protection similar to that used on military aircraft.

Many experts say that the proliferation of portable air defense systems has added another dimension to protecting U.S. aircraft. About 20 countries manufacture MANPADS, and nearly every nation in the world has them. According to a report by Federation of American Scientists, a nonprofit research and advocacy organization in Washington, approximately 500,000 MANPADS exist today, many of which are thought to be on the black market and accessible to terrorists. These systems are attractive to terrorists for many reasons, including the fact that they are lethal, highly portable and concealable, inexpensive, and relatively simple to operate, notes Matt Schroeder, an arms expert at the Federation of American Scientists who co-authored the report.

Based on the congressional directive, DHS has initiated a two-phase program that will migrate the technology to deflect enemy missiles, which has been used in the military for many years, to the commercial aviation environment.

In Phase 1 of the program, which is expected to last six months, officials will investigate potential solutions, culminating in a detailed design and analysis of the economic, manufacturing and maintenance issues involved. Contractors will be BAE Systems of Nashua, N.H.; Northrop Grumman Corp. of Rolling Meadows, Ill.; and Austin, Texas-based Avisys Inc., a defense technologies and system integration organization led by United Airlines. Phase 2 will consist of an 18-month proto-type development program using existing technology. One or two of the Phase 1 contractors will be chosen to continue with Phase 2, says Parney Albright, assistant secretary of Homeland Security for science and technology.

Because of Congress' intense interest in the project and pressure to make the process quicker than the two years requested by DHS, representatives from the House Committee on Armed Services and the House Transportation and Infrastructure Subcommittee on Aviation asked the General Accounting Office to research the issue. The resulting report was released Jan. 30.

The report directed Homeland Security to use a disciplined and efficient systems engineering method throughout the development and implementation process-a knowledge-based approach.

FIRST THINGS FIRST

GAO outlined several challenges for Homeland Security in adapting a military counter-MANPADS system to commercial aircraft. The first is establishing system requirements; DHS must account for a variety of aircraft types in designing and integrating the system. The second involves dealing with maturing technology and design. The third GAO mentioned is setting reliable cost estimates for the procurement, integration, operation and support of such systems-cost estimates that don't exist for commercial aircraft.

Designing such a system is a complex process, Albright acknowledges. In the case of laser jammers, for example, the military generally installs three on each C-17 aircraft-one on each side and one on the tail. "They are worried about the air-to-air threat, not just the ground-to-air threat, and they maneuver their aircraft in far more dramatic ways," he says.

Setting reliable cost estimates also is a tall order, notes Burt Keirstead, program manager for the counter-MANPADS effort at BAE Systems. But it's one that can be tackled by combining an understanding of the acquisition costs with that of the operations and support costs. During Phase 1, the three contractors will focus on preparing a lifecycle cost model. "With any model, you want to make sure you have accurate inputs to reflect how things might change. If you have a good model in place, you can quickly input potential changes. Reliability and supportability are big inputs to cost," Keirstead says.

GAO concluded that dealing with these challenges would require Homeland Security to adopt a knowledge-based approach that:

Matches the customer's needs with available resources.
Allows a product's design to meet performance requirements and become stable about midway through development.
Shows that the product meets budget, schedule, quality and reliability targets before production begins.

GAO also noted that a knowledge-based approach would involve controls or criteria to determine whether specific milestones had been met at each critical juncture. Such an approach would help to confirm the business case on which the effort was originally justified.

IN THE KNOW

The GAO report is on target with its recommendations, says Keith Kerr, director of solutions development at Robbins-Gioia, an Alexandria, Va., project management consulting firm."Basically, the GAO report is saying [Homeland Security] should make sure they understand the differences and threats and alternatives, and bring all of that to the table in a cohesive package," Kerr says. "It's about setting up a disciplined approach and making it work by breaking the development into chunks: What type of training do your people need? Do you have all spare parts in place?

In many respects, Homeland Security already has taken a knowledge-based approach, although it's called various names. The preliminary design review, for example, evaluates progress, technical adequacy, proposed software architectures and risk resolutions; the critical design review determines whether the design satisfies performance and engineering requirements. Other knowledge-based processes include program management reviews, prototype development and systems engineering.

Albright says that despite appearances, the GAO report and the DHS team are in sync. The team's use of standard engineering practices addresses GAO's call to match the customer's needs and available resources, while the message about proving that the product can be manufactured within cost, schedule, quality and reliability targets has been heard. As for the GAO's other point-that a product's design meet performance requirements and become stable about midway through development-Albright says that by the end of Phase 1, scheduled for this summer, "everything will be locked in place."

"We agree completely with the GAO's conclusions, and that's why we have been very careful not to make any commitments as to what the actual deployment of the system will be," Albright says. "We don't say anything about deployment because we won't know for sure what we are going to have in terms of performance and cost of ownership until we have integrated these things onto an aircraft and prototyped and tested them. In our view, it's highly premature to make a deployment decision-which is what the GAO is saying-until we have those facts on the table."

BAE Systems' Keirstead agrees, noting the report was commissioned before Homeland Security began Phase 1. "They interviewed us in spring of 2003, and a lot has transpired in the ensuing months," he says. The conclusion of Phase 1 will provide the team with a preliminary design and a much better understanding of what must be done, he says.

The GAO report, however, questioned the two-year timetable noting that, given the complexity of the project, it might simply be too ambitious.

The deadline, although ambitious, is realistic, insists Albright, despite concerns from GAO and others that two years may not be enough time to fully investigate and test the technology. "We think it's an aggressive timetable, especially when we've got a senator or two telling us it should only take six months, but we think two years is about right," he says.

Douglas Laird, president of Laird & Associates Inc., a Reno, Nev., aviation consulting firm, thinks GAO might have a point. "Adapting a military MANPADS system to commercial aircraft is difficult in many ways, and they have to take their time and do it right," he says. "If I had one piece of advice to give DHS, I'd tell them not be pressured by an unrealistic time frame. Take your time and develop a system that meets your needs. But during that development, heed the GAO's advice."

Karen D. Schwartz is a writer specializing in technology and business issues. She has written for numerous publications, including Business 2.0, CIO, InformationWeek, Electronic Business and Mobile Computing & Communications. ]]>

Fighting a War of Words

Karen D. Schwartz — Mon, 01 Mar 2004 00:00:00 -0500

ntelligence and military leaders have made progress in capturing terrorists, but they really can't finish the job without understanding the plans, thought processes and movements of terrorist organizations.

Interpreting cryptic correspondence-much of it written on scraps of stained, crumpled paper or locked in e-mails-is the key. Combine that intelligence with a search of Web sites, newspapers and other documents for names, locations and additional information, and officials have the ammunition they need to stamp out terrorism.

That sounds like a good plan, but it's easier said than done. Software tools are available to help translate information, find spelling variations in names, analyze sentences and concepts, and search for terms across multiple languages. But many think these technologies aren't mature enough to keep vital information from falling through the cracks.

Software vendors have little interest in many of the languages the government must deal with, such as Pashtu and Somali, says Melissa Holland, leader of the multilingual research program at the Army Research Laboratory. Because of low market demand, the development of text-based multilingual technology has been slow to nonexistent. Other hurdles to creating reliable translation software include having to decipher torn, faded or faxed documents; nuance, tone and colloquial expressions of language; and the vast number of documents that must be evaluated. Reams of information have been recovered from caves in Afghanistan alone.

Federal agencies have been developing programs to analyze commercial products, create proprietary products, and in some cases, tweak existing ones to meet specific language-based needs. And commercial software vendors have been responsive to agencies' requests for more comprehensive translation technologies. The result has been a handful of well-received tools that agencies use with varying degrees of success.

TURN OF PHRASE

The most prominent area of text-based multilingual technology is direct translation of text from one language to another. The concept might seem straightforward, but it's far from simple when idiomatic expressions, nuance, tone, inflection, humor and dialects are factored into the equation.

"Language is the most complex of human behaviors, so it's the biggest challenge when trying to reproduce those language behaviors," says Ray Clifford, chancellor of the Defense Language Institute, which trains translators, most of whom become signals intelligence officers or debriefers of prisoners of war, in dozens of languages. "How do you make such a translation by machine for a concept that doesn't exist in the first language?"

The Defense Department's Language and Speech Exploitation Resources (LASER) program is trying to improve machine translation. About halfway into a five-year project, officials are evaluating commercial technologies and developing ways to tailor them to the government's needs. John Kovarik, chairman of LASER's text-to-text integrated project team and a senior language technology expert at the National Security Agency, wants to develop machine translation technology that will work for everyone from an FBI analyst at headquarters to a sergeant on the battlefield.

Pushing the envelope, the LASER team invested in leading machine translation providers such as Systran Software of San Diego. Today, Systran provides machine translation for a variety of languages, including most Western European languages, Chinese, Japanese, Korean and Arabic.

Under the direction of the Army Research Laboratory, the Army's Communications and Engineering R&D Command, and the Defense Information Systems Agency, LASER worked with MITRE Corp. of Bedford, Mass., to refine its Translingual Instant Messaging (TrIM) system. They developed an instant-messaging protocol that would allow U.S. troops on joint exercises with Japan in the Pacific to exchange messages using machine translation.

The team continued to upgrade the system, including user-defined dictionaries that address vocabulary unique to a specific exercise or situation. But the accuracy rate still isn't what the government would like it to be-often lower than 80 percent, some vendors and industry experts say.

In an effort to provide speedy and consistent machine translation services for a variety of languages, the LASER team decided to augment traditional machine translation with new technology. Partnering with Language Weaver of Marina del Rey, Calif., a portfolio company of the CIA-funded venture firm, In-Q-Tel, the LASER team plans to develop machine translation that uses a statistical instead of traditional rules-based approach. The goal, Kovarik says, is to capture English phrases that align with their foreign language equivalents in parallel text.

COMBINATION APPROACH

Although direct text translation has been the primary focus of new technologies, others have emerged to address hurdles such as multicultural name recognition.

Consider the case of Pakistani immigrant Mir Amal Kansi, a terrorist executed in Virginia in 2002 for killing two people and wounding three more outside CIA headquarters in 1993. At the time, The Washington Post decried the crime, noting that he passed through immigration checkpoints at John F. Kennedy International Airport in New York with a passport and visa listing his name as Mir Aimal Kasi.

Incidents like this have prompted some vendors to improve automated name recognition across languages. "We had to come up with a way to identify the culture of a name. Because it's clear that if you have a Chinese name with short syllables versus a Hispanic name, there is so much more syntax involved in the Hispanic name, that it's difficult to invent one algorithm to handle both of them," says Jack Hermansen, CEO of Language Analysis Systems of Herndon, Va. Vendors such as Language Analysis Systems and Basis Technology Inc. of Cambridge, Mass., have developed tools to bridge that gap for many agencies, including the Bureau of Customs and Border Protection, Homeland Security Department and intelligence organizations.

Another translation tool making inroads is multilingual information retrieval-a sort of Google search engine. By typing in an English phrase, a user can retrieve documents containing that phrase in other languages. The latest versions of this technology use Unicode, which assigns a unique number to every character, independent of platform, program or language. The standard, adopted by industry leaders such as Apple, HP, IBM, Microsoft, Oracle, SAP, Sun, Sybase and Unisys, allows multilingual information retrieval systems to work in ways they never could before, says Carl Hoffman, CEO of Basis Technology, a Cambridge, Mass.-based firm that produces the technology.

"Let's say you have a document written in Arabic script that contains the name of an al Qaeda leader, and that document is buried on a hard disk among tens of thousands of other documents," Hoffman says. "You want to search the hard disk for any document containing that name. All you have to do is type that name in Latin letters, and it will match it as written in the Arabic script."

Another approach is multilingual information extraction, in which users can pinpoint names, places, dates and other words and phrases in a variety of sources, such as e-mail, documents and the Web. The Defense Advanced Research Project Agency's Translingual Information Detection, Extraction and Summarization program develops systems that focus on languages such as Arabic and Chinese, in which extraction can be more difficult. Basis Technology and other vendors offer similar software.

Government language experts say the best way to increase efficiency of translation technologies is to use a combination approach-not just machine translation or multilingual entity extraction, for example, but two or more techniques. That's especially true of machine translation, says Doug Naquin, director of the Foreign Broadcast Information Service, a CIA organization that translates the text of daily broadcasts, government statements and news articles from non-English sources. "The technology has gotten better, but not to the point where most of the people we hire to do language work would feel comfortable saying it can all be done via machine translation," he says. Machine translation technology is most useful as a filtering technique, Naquin says, "because no matter how many people we hire, we can't keep up with the volume."

Other tool combinations also have proved useful. The Foreign Broadcast Information Service staff, for instance, integrates translation tools with search engines. "By combining multilanguage information extraction and information retrieval, for example, we can enter a search term like 'SARS in Asia,' and use the extraction entity to give us responses both in English and the original language," Naquin says.

"We've come a long way," the Defense Language Institute's Clifford says. "Today, we've got multiple enterprises tasked to deal with this issue, and that's an important step."

]]>

Managing Smart Cards

Karen D. Schwartz — Sun, 01 Feb 2004 00:00:00 -0500

The lessons that Defense has learned so painfully should help other agencies in the throes of implementing smart cards.

ith dozens of smart card projects under way in the past year alone and millions of cards already in use, it's clear that the federal government sees great benefit to the technology. Not only do smart cards provide secure access to computer networks and buildings, they also can be used for a host of other purposes, including procurement and identification. And because the cards contain embedded microchips, they are very secure, offering tamper-resistant protection in a variety of circumstances.

But along with the benefits come challenges. Even the Defense Department's highly touted Common Access Card program, considered the pioneer of smart card technology in government, has had its share of problems.

Defense recently acknowledged that it did not meet its goal of deploying the last of its 4 million smart cards by October 2003. Instead, officials pushed the date back to April 2004, citing "unforeseen delays."

Mary Dixon, director of Defense's Access Card Office, says unanticipated military operations in Iraq and Afghanistan caused the armed services to deploy more reserve troops than anyone could have foreseen, and that contributed to delays. "There were so many being mobilized that we couldn't get through the [smart card issuance] process fast enough," she says. Early problems in "scaling up" the smart card system so it could be widely implemented also contributed to delays, she says. In retrospect, Dixon says the team could have performed more comprehensive testing to make sure the system could be expanded. She says such problems have been addressed and shouldn't reoccur.

The lessons that Defense learned so painfully should help other agencies, says Bob Donelson, senior property manager at the Interior Department's Bureau of Land Management and chairman of the National Institute of Standards and Technology's Interoperability Advisory Board. Donelson says his team at BLM has learned a great deal from Defense's experience with the Common Access Card. "We looked at DoD heavily when we were developing our cards," he says. "We found areas to leverage what they did, and we found areas to improve upon, such as the cost model. And I can imagine that someone who looks at our implementation model would be able to improve upon it further as well."

Learning lessons from other government smart card implementations, many agree, is the best way to address the numerous challenges that can occur during deployment. Problems in both the management and technical arenas can slow or halt a project in its tracks if not addressed effectively. Management issues, which often must be tackled before considering technical challenges, include educating those involved with buying and choosing smart cards, gaining executive buy-in, setting realistic expectations, establishing schedules, and ensuring that ongoing issues are resolved quickly and reasonably.

Setting the right expectations and managing them are vital to the success of any smart card project, Donelson says. Deployment teams, he says, must show all potential users the benefits of smart cards in concrete terms. After that, the team should keep users apprised of new applications as they develop, he advises. Making sure the smart card team includes stakeholders from every part of the organization helps manage expectations and ensures acceptance and support at all levels. "We need people in all of those camps to become diplomats," Donelson says.

Along with managing expectations comes the need for constant communication-something that's especially important in complex projects where the scope or requirements can change quickly and unexpectedly.

A good technology rollout starts with a comprehensive project plan with realistic time lines and a readiness to be flexible in implementation, says Randy Vanderhoof, acting president and CEO of the Princeton Junction, N.J.-based Smart Card Alliance. "If there isn't good monitoring of progress or sufficient room in the schedule to adjust for changes as the program rolls out, it can cause real problems," he says.

Communication must extend all the way through to a project's completion and even beyond, says Kristine Conrath, director of emerging technologies in the Treasury Department's Financial Management Service, which has issued more than 1 million smart cards. Although it took several years to learn this lesson, the FMS team now performs thorough evaluations after each implementation, consisting of site surveys, audits and weekly conference calls. "It results in a smoother rollout, where people aren't stressed and the customer feels more comfortable that things are on track. That makes them want to use the card, so they communicate to others that they like it," Conrath says.

TECHNICAL DIFFICULTIES

In their own way, technical challenges can be just as daunting as management challenges. Common technical difficulties include resolving interoperability and integration issues, deciding whether to put several application technologies on the same card, and determining how deeply to involve those who control physical access to facilities in the process.

For many agencies, especially early adopters, interoperability has been the thorniest issue. Using smart cards, software and card readers manufactured by different vendors can be difficult. But many agencies don't want to be tied to one vendor throughout the life of a project. "When we started this program, it was considered a vertical implementation, where one vendor would provide the smart cards, the reader and the middleware, and everything would work together," Dixon says. "We knew we needed the ability to use multiple vendors, and the only way we could do that was by ensuring that the products would be interoperable." To accomplish its goal, Defense relied on NIST's interoperability specifications, developed by the agency's Interagency Advisory Board. Since the specifications were developed in 2000, interoperability has been less of an issue.

Deciding whether to put more than one application technology on a card also can be perplexing. For example, while FMS' smart card is used mainly to store funds for the purchase of goods and services, some cards have an additional, nonfinancial application that uses magnetic stripe technology. To make the dual-use card as glitch-free as possible, the team vowed to make sure that all processes were clearly defined and documented and that lines of ownership for each application were clear, Conrath says.

The Defense Department has an even more complicated scenario, with five different applications residing on the current version of the Common Access Card, using technology that includes a two-dimensional bar code, a linear bar code, a magnetic stripe and a microchip.

"If any one of those media fails, we have to issue a new card. It's not too bad if it's the chip, but if your magstripe doesn't last as long as it should, that's a lot of money to pay for a magstripe card," Dixon says. "It's just too many points of failure."

Looking back, Dixon says it probably would have been better to eliminate some of the media on the smart card, if possible.

Another common mistake is failing to include those responsible for physical access to buildings in original smart card planning sessions, says Gordon Hannah, manager of secure access and identity management for BearingPoint in McLean, Va. "You want the physical access community to embrace this credential so they will honor it to get into a building, while you may be using it for other things like property control, network access and secure signing of documents," Hannah says.

]]>

Reversal of Fortune

Karen D. Schwartz — Thu, 01 Jan 2004 00:00:00 -0500

our years ago, after hearing the buzz about reverse auctions, leaders of the Army's Communications-Electronics Command (CECOM) decided to give the high-tech procurement tool a try. In short order, CECOM set up two online auctions seeking bids from vendors to provide notebook computers and secure fax machines. After paying an average of 37 percent less money and weeks of time over traditional procurement methods, CECOM officials were sold.

Other federal agencies soon jumped on the bandwagon. The Postal Service, for example, used reverse auctions to lease 4,600 trailers designed to carry mail. Managers were delighted by the results-costs fell by more than 11 percent and procurement time dropped by 30 days. When the General Services Administration endorsed them and agencies showed frenzied interest, the future of reverse auctions in government seemed assured.

Fast-forward four years. Reverse auctions still are alive and well, but the initial exuberance has ebbed. Agencies have taken a step back, realizing that reverse auctions aren't the only procurement tool in the arsenal and that they aren't always appropriate. "In the government, sometimes we get carried away. We find something that looks good and we try to make everything fit into it, but deep down we all know that one size never fits all," says David Drabkin, deputy associate administrator for acquisition policy at GSA's Office of Governmentwide Policy. "Today, we know that reverse auctions are a good tool in certain types of acquisitions and in certain situations."

QUICKER AND CHEAPER

While reverse auctions aren't always the answer, they serve two important functions: buying off-the-shelf technology for the best possible price and negotiating the best deals on agency-specific products later in the procurement process. Reverse auctions are most commonly used to purchase standard commercial products-everything from automobile parts to PCs. Reverse auctions still make sense in cases like these, but only if the agency's needs are clear, says Alan Thomas, global account manager for the public sector at FreeMarkets Inc. of Pittsburgh, Pa. "The rules of thumb haven't changed," he says. "In order for a competitive negotiation to be successful, you need to have a certain number of suppliers to create meaningful competition. You need to be able to describe the service or goods you're looking to purchase in enough detail to get an apples-to-apples comparison."

"Reverse auctioning requires buyers to have a fairly precise understanding of their requirements," says Larry Allen, executive vice president of the Washington-based Coalition for Government Procurement, an industry association representing companies that sell to the federal government. "But when you get into a systems integrated solution, there needs to be a greater understanding of what a customer wants, and that comes through discussions with the customer. Reverse auctioning doesn't enable the give-and-take you might need for a more complex procurement."

But CECOM still uses reverse auctions to garner the best price on specified items, along with sealed bids and long-term contracts, depending on the situation. The organization conducted 38 reverse auctions in 2003 for items such as mounting brackets, transformers, small diesel engines and computers. That's almost a threefold increase over 2000, when CECOM conducted just 13 reverse auctions. Between 2000 and 2003, 107 reverse auctions, conducted with the help of software from Moai of San Francisco, saved CECOM $6 million. "When they are done, they are successful," says Edward Elgart, director of the CECOM Acquisition Center in Fort Monmouth, N.J. "They are easier to set up, and you know the same day you run the auction who the winner will be."

The reason CECOM doesn't conduct more reverse auctions, Elgart says, is that many buyers simply don't know how to use the tool. "As a result, they are either unaware of its existence or afraid to try it because it's different."

THINKING IN REVERSE

Even as the number of reverse auctions levels off, contracting and procurement professionals have become more proficient with online competitions and have discovered other uses for them. The Army Corps of Engineers, for example, recently experimented with reverse auctions as a way to find subcontractors for one of its prime contractors. Many organizations are using reverse auctions to award construction contracts-a concept no one expected would work. Other agencies have started using reverse auctions to negotiate prices later in the procurement process for customized goods and services. When used as a price negotiation tool, the reverse auction takes place after an organization has chosen its universe of contenders through another procurement process. Once all technical requirements have been defined and the only issue left is cost, contracting officers can use the reverse auction to get the best price.

These unusual uses of the reverse auction process require much more knowledge and expertise, Drabkin says, but they're well within the scope of the Federal Acquisition Regulation. Before beginning the actual contracting process, a procurement team must set its requirements and analyze the best way to achieve those requirements. "In the course of that discussion you should be talking about whether a reverse auction would be appropriate at either the beginning [for procurement of commodity items] or as a pricing technique. You would discuss it just like you would discuss how to satisfy your small business requirements or your environmental requirements," he says. "It's a very disciplined process that everybody in the acquisition workforce should be using."

BETTER TOOLS

Vendors have responded to the evolution of reverse auctions by creating products that are easier to use and more sophisticated. Ariba Inc. of Sunnyvale, Calif., for example, didn't even have its own reverse auction tool until about three years ago. The company introduced its first release of reverse auction technology in 2001. As Ariba discovered that organizations wanted to consider other options depending on their requirements, it began to offer more versatile supply management tools, including online procurement tools, says Emily Rakowski, Ariba's sourcing product marketing manager.

The growing popularity of desktop reverse auction software also has expanded the universe of online procurements. Desktop reverse auction software is more sophisticated, and therefore attractive, than it was a few years ago. In addition to market leaders Ariba, FreeMarkets and Frictionless Commerce of Cambridge, Mass., many more vendors have joined the game, including large companies such as Oracle Corp. and smaller vendors such as Global eProcure of Clark, N.J., Emptoris of Burlington, Mass., and Procuri Inc. of Atlanta.

Amanda Silverman, an independent consultant for the Postal Service's supply chain strategies group, says new desktop reverse auction software allows bidders to respond to auctions more easily and permits auctions involving smaller dollar amounts. In the past, a typical reverse auction at the Postal Service ranged from $1 million to $30 million. Today, a project as small as $100,000 can be auctioned. The Postal Service might even conduct a reverse auction for a purchase as small as $40,000, using FreeMarkets and Lean Logistics of Holland, Mich., a vendor specializing in auction technology for transportation. "We're still interested in doing larger auctions with [expenditures] of $35 million or more because we can derive a lot of savings," Silverman says. "But running auctions on smaller [expenditures] opens up a chance to compete the often overlooked smaller requirements in a more effective way than may have been done in the past."

As for the future of reverse auctions in government, the consensus seems to be slow and steady. "They will continue to have a place at the table, but I don't expect it to grow dramatically," the procurement coalition's Allen says. GSA's Drabkin agrees, but says the use of reverse auctions as a price negotiation tool may catch on more quickly as people become more familiar with the concept and the technology used to pull it off. "We'll have more intelligent contracting systems that will help remind people that this might be an option as they move through an acquisition," Drabkin says.

Karen D. Schwartz is a writer specializing in technology and business issues. She has written for numerous publications, including Business 2.0, CIO, Information Week, Electronic Business and Mobile Computing & Communications. ]]>

More Agencies Pick Open Source Software

Karen D. Schwartz — Mon, 01 Dec 2003 00:00:00 -0500

ust five years ago, programmers who understood the value of using collaborative, open source software as a foundation for developing federal applications had to use the software surreptitiously. At that time, open source software was the bailiwick of programmers hidden away in back rooms-programmers who understood that using open source software could cut costs, speed development and improve performance. Back then, using anything but off-the-shelf software for application development wasn't widely accepted or understood. After all, commercial software was a known quantity, perceived as more reliable and secure than open source software, which just about anyone could customize.

Slowly but surely, federal CIOs have begun to see the benefits of using open source software. Prime examples include the Linux operating system, the Apache Web server, the Mozilla Firebird browser, and MySQL and PostgreSQL, open source relational databases that use standard Structured Query Language.

The National Weather Service is a case in point. The Weather Service has done an about-face in the past few years, shifting its focus from proprietary software, which is difficult to customize, to open software. The most salient example is the Advanced Weather Interactive Processing System (AWIPS), used by forecasters throughout the country to issue weather warnings, advisories, alerts and forecasts. Until about two years ago, AWIPS ran on the proprietary Unix-based HP/UX platform.

After determining that the Linux operating system had matured greatly over the past several years, due in part to its refinement by companies such as Red Hat Inc. of Raleigh, N.C., and German vendor SuSE Inc., Weather Service leaders decided to switch to Linux as the new operating system for AWIPS. "Linux was always a hacker's language, shared by a group on the Web, and it didn't have supportability. But now, lots of groups offer support and 7-by-24 availability," says Weather Service CIO Barry West. "There was some risk, because there weren't a lot of other agencies that had done this, but when we laid the factors out, our corporate board decided to move forward."

Since switching to Linux, the Weather Service has cut AWIPS costs, reportedly by as much as 75 percent, largely because the operating system requires less maintenance. Aside from increased efficiency, West says, Linux works with many different types of hardware and environments. "We can run the same applications on a supercomputer and take it down to the workstation without recompiling," he says. "You can't do that with other operating systems."

Like the Weather Service, other federal agencies are beginning to understand the value of using open source software and have begun to make the shift. Agencies not only reap cost savings and efficiency, they find open source easier to use because it's stable, portable and it can be upgraded. The Census Bureau, another open source software proponent, has developed a system to help citizens get data using a variety of open source software, including Apache Web Server, Linux, MySQL and Perl. The National Security Agency has developed a security-enhanced Linux operating system that protects applications and network services by segmenting them into domains to enable secure computing in the Defense environment.

The Defense Department, which employs more than 100 open source software tools, is one of the government's largest users of the technology. The problem, notes CIO John Stenbit, is that many of those applications don't meet criteria for security and intellectual property protection that has been in place since July 2002.

Stenbit issued a memorandum on May 28 reminding Defense workers and vendors that all Defense applications using code or products based on open source software must comply with National Security Telecommunication and Information Systems Security Policy, enforced by the National Institute of Standards and Technology.

Many open source proponents interpreted the memo as Defense's endorsement of the software, but that's not exactly the case, Stenbit says. "We're agnostic, everything being equal. We'd like to satisfy our users' desire to use Linux and [other] open source software for its benefits, but only if it meets our criteria," he says.

PUSH VERSUS PULL

Many vendors are meeting the federal government halfway, offering a slew of products based on open source software. Many hardware vendors have introduced Linux-based PCs, and some, such as IBM, offer servers running MySQL.

Vendors also are increasingly taking Stenbit up on his challenge, submitting products and code to the Defense Department's standards. In the past several months alone, many products have been certified. Red Hat Linux Advanced Server, for example, has the Defense Information System Agency's Common Operating Environment certification, while SuSE Linux Enterprise Server 8 has the Common Criteria Security certification, required by most federal agencies.

The notable exception to the open source trend is Microsoft-a company whose products are most entrenched in the federal government, and therefore a company that stands to lose the most. "You have Web servers and security components and e-mail systems and other things being produced in open source, and that's product competition with other vendors," says Jason Matusow, manager of Microsoft's Shared Source Initiative.

In its vigor to stop the open source train, Microsoft has become aggressively vocal and active. The company has lobbied against the Defense Department's adoption of open source, tried to shut down the National Security Agency's use of Linux, and has even attempted to convince Congress that open source is a bad idea.

Part of the problem, Microsoft asserts, is that Linux has grown up-so much so, executives believe, that it no longer acts much like an open source product and therefore should be considered a competitive off-the-shelf product, much like Microsoft's Windows.

"Linux is acting more like a commercial operating system than ever before, with companies like IBM and Red Hat behind it," Matusow says. "Agencies using Linux now have commercial relationships with those vendors much as they would with any off-the-shelf product they would have purchased."

Terry Bollinger is an IT analyst at MITRE, a not-for-profit organization chartered to work in the public interest based in Bedford, Mass., and McLean, Va., and co-author of the 2002 study, "Use of Free and Open Source Software in the U.S. Department of Defense." He concedes that Microsoft might have a point, albeit a weak one.

"People are very concerned that in picking a particular group of vendors that develops software, you aren't just picking a license, but picking a group. In some ways, it can be viewed as another form of proprietariness. That's one of the reasons why Microsoft has such severe concerns," Bollinger says. "If you pick a specific cooperative's [product], you can't include it in your package and sell your package, and that concerns groups like Microsoft."

Microsoft has other reasons to be concerned about the federal government's growing interest in open source software, says Tony Stanco, who directs the Center of Open Source and Government, a Washington-based consortium dedicated to promoting open source throughout government, and The George Washington University's Cyber Security Policy and Research Institute.

Open source software found its way into government from the IT worker's level, to the IT director's level, to the management level, Stanco says, so Microsoft didn't consider it an issue until it was too late. "By the time Microsoft got involved, there were so many people at the management and technical levels using open source that they had a hard time. They fought it, but they are losing out with things like the DoD memo," he says.

Microsoft's Matusow debates vendors' and agencies' claims that open source software is less expensive. He lists costs, including fees paid to a distributor such as Red Hat on a per-server basis and fees paid to vendors such as IBM. "At the end of the day, the cost they are presenting relative to the use of their operating system will be comparable to that of other operating systems," Matusow says.

Sam Greenblatt, chief architect of the Linux Technology Group at Islandia, N.Y.-based Computer Associates International Inc., begs to differ. "It's about total cost of acquisition," he says. "If I'm sitting on a 486 chip, I won't run XP because it won't work," he says. "If you really want to run XP and Office 2003, you need a stronger processor. The federal government has older hardware, so Linux is a natural. Instead of upgrading, they can just install Linux and run [Linux] OpenOffice."

Microsoft is correct that most federal agencies pay third-party vendors to acquire open source software, but that type of competition actually drives down costs in the long term, Bollinger says. "Since anybody can start a business to support open source products, you are actually encouraging competition in the private sector," he says. "And that's often where the biggest expenses are-in support. That's what's behind the feeling that over the long term, open source can provide significant cost savings to government."

HERE TO STAY

This debate, although unpleasant for vendors, doesn't seem to be affecting the federal government that much. As agencies discover the benefits of open source, more are considering their options. Making their decision easier is SmartBUY, a governmentwide software licensing initiative promulgated by the Office of Management and Budget and managed by the General Services Administration that includes open source software. As open source software becomes easier to procure, it likely will catch on faster than ever before.

Despite potential roadblocks, open source appears to be here to stay in the federal arena. The National Weather Service, for example, plans to convert systems at more than 122 forecast offices to Linux by the end of this year.

"Agencies that are skeptical about moving to open source should take a second look," the Weather Service's West says. "We've been very happy and have had no second thoughts about our move to Linux and some of the other utilities in open source."

As popular as open source-based development may become, it never will supplant off-the-shelf software in the development world. Instead, the two technologies are likely to enjoy a peaceful coexistence.

"Whether we use open source or proprietary software depends on the business case and what your needs are," West says. "What are your interoperability issues? What other systems do you have to communicate with?"

It's not an either-or proposition, according to Brad Westpfahl, director of IBM's Government Industry Programs. "The fact that top management in federal agencies are giving the green light to consider and use open source is the news of the day, and it's an opportunity for agencies to feel confident that they shouldn't make the commercial versus open decision upfront and then try to solve the problem," he says. "Instead of making a decision wholesale to go proprietary or open, understand the needs of your various applications and deployments and keep both types of capabilities on the evaluation list until one or the other proves superior."

]]>

Countering Terrorism With Technology

Karen D. Schwartz — Wed, 01 Oct 2003 00:00:00 -0400

he FBI agent has been working for weeks on a tough counter-terrorism case. Although he's close to cracking it, he is missing crucial information that could help solve it. Stymied, he takes a lunch break, only to return to his desk and find information critical to his case staring at him from his screen. Using information gathered from the computers of other FBI agents, the agent finally fits the pieces of the puzzle together, thwarting yet another terrorist plot before it jeopardizes the safety of U.S. citizens.

Until recently, that kind of information sharing was not only rare, but prohibited at the Federal Bureau of Investigation. But thanks to an increased focus on counter-terrorism and a forward-thinking director, the FBI now employs state-of-the-art knowledge management technology, allowing the agency to gather, organize, share and analyze both its structured and unstructured data.

"We're trying to go from having individual data components to getting that data in an aggregate form so we can produce information relevant to a topic," explains Ken Ritchhart, the FBI's section chief for data engineering and integration. "Then we can apply that information to a problem set, which gives us intelligence or evidence for the next step-taking action."

Using knowledge management technology-a group of tools and methodologies designed to help gather, organize, share and analyze information-FBI agents can make connections they might never have been able to make before. They can access information from other open FBI cases that might be relevant to their own cases, helping them solve cases more quickly. And eventually-once agreements and standards are worked out-agents might even be able to share information with the CIA, Homeland Security Department, and other intelligence-gathering agencies. Once that happens, the possibilities for fighting terrorism will be virtually limitless.

FIGHTING WITH KNOWLEDGE

Knowledge management can be used to fight terrorism in many ways. One of the most valuable is link analysis-the ability to link two or more seemingly unrelated bits of information.

"There is gold buried in an organization's assets, but in most cases, you don't see people turning that gold into jewelry, which has utility to an end user," explains Barak Pridor, CEO of ClearForest Corp., a New York-based knowledge management vendor offering link analysis technology to a number of agencies, including the FBI. Link analysis tools tag unstructured text-based documents to identify relevant entities, events, facts and relationships buried inside them. The technology then puts all relevant information in a central repository so all possible linkages, relationships and insights can be derived.

Link analysis holds great promise in the field of counterterrorism. An analyst working to pinpoint the location of a ticking bomb, for example, must find the person responsible for the bomb as quickly as possible. To do that, the analyst would look for all records that mention the person's name to identify anyone with whom the perpetrator has had a close relationship, through school ties, past experiences or other relationships. After formulating those links, the analyst must prioritize them and begin talking to the contacts he has found. At the same time, the analyst would look for all mentions of the perpetrator's past activities-information that may exist in various databases, newspaper articles and other sources.

Knowledge management technology also can help link people working on the same hypothesis. This category of tools builds profiles of analysts based on the content of outbound e-mails and other systems they use every day. The system looks for patterns-names, phrases and clusters that constitute topics. When another analyst in the organization has a question about a specific topic, he will get that information from the system, minus the name of the analyst whose profile was accessed. The primary tool in this category is from Tacit Knowledge Systems Inc. of Palo Alto, Calif.-one of the technology companies funded by In-Q-Tel, a nonprofit enterprise created by the Central Intelligence Agency that contracts with companies like Tacit to help develop cutting-edge information technologies that serve the country's national security interests. "It's about realizing the significance of what you already have, and that can only happen when people who have bits and pieces of the puzzle can connect with each other and start working together," notes Tacit CEO David Gilmour.

CULTURE SHOCK

The use of knowledge management tools isn't a new practice for government-in fact, knowledge management has been used for years to enhance collaboration, capture and share best practices, and provide e-learning programs. But after Sept. 11, it became abundantly clear that to fight the growing threat of terrorism, such technology must be applied to sensitive and classified information-the type of information the CIA, FBI and the new Homeland Security Department work with every day.

Ruth David, president of Anser Inc., an Arlington, Va.-based public service research institute focusing on national and homeland security issues, notes that some of the shortcomings identified in the recent draft report by the National Commission on Terrorist Attacks upon the United States, known as the 9/11 commission, could have been prevented if knowledge management technology had been in place.

"There were a number of areas [described in the report] where data initially weren't deemed relevant by an analyst because they were looked at in isolation," she says. "As a result, pieces of data weren't reported, so subsequent analysts didn't have an opportunity to look at those pieces of data in a broader context with the benefit of related fragments of information that might have raised some alerts."

Those missteps are just the types of mistakes the intelligence community aims to correct through better sharing of information-and the first step is changing the long-standing, rigid culture of keeping information close to the vest.

The FBI is one of the first agencies to change that culture. FBI Director Robert S. Mueller said in a June 30 speech at a National Press Club luncheon that the Sept. 11 attacks required a dramatic shift in priorities. As a result, Mueller has called for not only a comprehensive revamping of the FBI's counterterrorism program, but a complete overhaul of the agency's information technology systems, including a greater reliance on knowledge management and collaborative technologies.

Earlier this year, Mueller made a fundamental shift in policy by mandating that all information must be shared unless an agent can explain why it shouldn't be-a move that makes it much easier for the agency to apply knowledge management and other analytical tools to their processes.

That's changed things for the better. Until recently, all FBI case files were restricted to individual agents, preventing all others from viewing them. Agents also had to get permission to access information from other cases, making information sharing difficult. If three agents were working on similar types of cases, there was little chance they could pool their knowledge.

"It used to be exclusion unless proven otherwise, and now it's inclusion unless proven otherwise," Ritchhart says. "With the old way, you couldn't apply knowledge management and analytical tools because you couldn't see the trends across the board."

Now that the policy has been changed, the agency is taking the next logical step, moving data into the Secure Collaborative Operational Prototype Environment for Counterterrorism (SCOPE), a data mart with more than 34 million documents related to counterterrorism. To access and share data contained in SCOPE, the FBI uses a variety of technologies, including ClearResearch, a knowledge management tool from ClearForest, and collaboration tools from Convera of Vienna, Va., and Ezenia Inc. of Burlington, Mass.

"Before we made the changes, an agent who was sending information out had to know exactly who to send it to, and somebody working a similar case would never see that information," Ritchhart says. "Now analysts have defined their profiles and areas of interest, so if I'm working a case, anything that fits the areas I've defined will be tagged and sent directly to me."

WARNING: CHALLENGES AHEAD

Agencies have significant challenges in finding ways to best use knowledge management to fight terrorism. Each agency must find ways to validate information, determine which information should be accessible to others, deal with issues of information ownership and security, and track how information is being accessed and used. In addition, changing the way agencies have shared-or not shared-information for dozens of years can cause a bit of culture shock.

But the biggest challenge, experts say, is how to share data effectively and securely among agencies. Solving the knowledge management challenge at the FBI is an important first step, but if an FBI agent can't access important information from a CIA analyst or the Homeland Security Department, the case may remain unsolved.

The Homeland Security Department faces even greater challenges than those of the intelligence community. While it must access information and resources both horizontally (with other federal agencies) and vertically (with state and local government as well as industry), the department is relatively immature. Once there is consensus on the nature and operational role of the department, it will be in a better position to roll out key cross-agency and intra-agency initiatives, according to Jocelyn Young, program manager for the vertical markets research group at Framingham, Mass.-based International Data Corp. That will increase the effectiveness of information sharing and promote greater collaboration, Young noted in a recent report on knowledge management in government.

Progress is being made on the inter-agency front, however. Intelligence agencies now exchange liaison officers and keep in close contact with each other and with the Homeland Security Department. When the FBI conducts a briefing on any aspect of counterterrorism, a CIA representative now attends the briefing-and vice versa.

On the technology front, the intelligence organizations are participating in the Intelligence Community System for Information Sharing, a Web-based framework for sharing sensitive and classified data. Intelligence operations also have agreed on common eXtensible Markup Language (XML)-based standards for data exchange, enhancing agencies' information sharing abilities.

For the FBI, these changes are just the tip of the iceberg. Next, Ritchhart says, is tailoring information in ways or formats that make it most valuable to users. With that capability, the entire counterterrorism process could move more quickly.

But all in all, things are moving along. "It's been an uphill battle until recently, but things have changed since 9/11," Ritchhart says. "After 32 years in intelligence, I've never seen collaboration better than it is today."

Karen D. Schwartz is a freelance writer specializing in technology and business issues. She has written for numerous publications, including Business 2.0, CIO, InformationWeek, Electronic Business and Mobile Computing & Communications

]]>

Building the Perfect Portal

Karen D. Schwartz — Mon, 01 Sep 2003 00:00:00 -0400

he Navy captain, aboard a ship headed for a war zone, sits down at a workstation and logs on. He zooms in on an area of conflict, observing the positions of his fleet and that of the enemy. Based on his analysis of this information, he issues tactical commands, which are transmitted in real time to the appropriate personnel.

Now that he has accomplished his goals for the moment, the captain has time to spare before his next task. First, he checks the status of aircraft and systems down for repair and orders spare parts. Then he signs up for a short online training course to get up to speed on the latest techniques in maintaining Naval aircraft. Before logging off, he takes a few minutes to check on a paycheck deposit, schedule medical appointments, and read the latest Navy news.

That type of real-time multitasking, virtually impossible until recently, is now an everyday occurrence in the Navy, thanks to a comprehensive portal to all of the service's Web-enabled applications. The Navy Marine Corps Portal (NMCP) allows uniformed personnel, contractors and family members to access Naval applications and share information with each other. The pilot project is a result of orders from the vice chief of Naval operations to create a global portal to support the warfighter.

When fully operational-sometime within the next few years, depending on funding-the NMCP will provide access to information in about 350 smaller Navy portals, many of which provide local commands with information specific to their users, such as human resources, local weather and travel updates. Eventually, even larger portals, such as Navy Knowledge Online, which offers training courses, will be incorporated into the Navy-wide portal, says NMCP program manager Terry Howell of the Space and Naval Warfare Systems Command (SPAWAR).

Initially, the portal's architecture was based on the CleverPath Portal from Computer Associates International Inc. of Islandia, N.Y. After the pilot phase is over, SPAWAR plans to issue a request for proposals this fall for a portal product that, like CleverPath, is built using open standards. This allows officials to continue developing and modifying the portal without being tied to proprietary technology. "We want to see what's out there two years after we started the pilot," Howell says.

REACHING NEW HEIGHTS

The Navy Marine Corps Portal and a handful of other ambitious projects at agencies make one thing crystal clear: The government portal has grown up. From its simple roots as a static compilation of Web pages, today's government portal has made great strides in achieving its ultimate promise-one-stop, secure, easy access to a wide variety of information sources whenever and from wherever the user happens to be.

The path government has taken on its journey to develop comprehensive portals resembles that of industry. Technology experts have spent years learning what works and what doesn't, generally by building less ambitious portals. Some have succeeded in their limited missions, and some haven't. Those lessons, combined with increasingly sophisticated commercial portal products and related technologies, have enabled agencies to make the giant leap toward creating the full-functioning, always-on portals they are developing today.

"There is more knowledge out there on the part of government. They are demanding more intelligence from portals, and we've had to make changes to our products to meet those demands," says Matt Calkins, president of Vienna, Va.-based Appian Corp., a portal vendor working on Army Knowledge Online.

In fact, many federal, state and local agencies are building next-generation portals, but few of them have actually reached the pinnacle-an always-on portal that provides all its users need and want. Although the technology exists to make this goal a reality, only a few are successfully dealing with the myriad challenges inherent in such a huge undertaking.

The architects of the Navy Marine Corp Portal could have achieved many of their goals by simply linking the portal to the Navy's vast array of smaller portals, but Howell's team intends to reach a loftier goal-full integration, access to real-time data, collaboration, and the ability to verify users' identities at any location.

One of the first challenges Howell's team has had to address is choosing among thousands of software applications in use across the Navy-many with redundant functions and data. The choice has political ramifications, but stepping on toes isn't Howell's biggest concern. Instead, his biggest challenge is to wade through the applications to determine which use the best data, which use stale data, and which deserve to remain active.

"[The Navy Marine Corps Intranet] has shown us that the approximately 100,000 applications we have out there is a serious problem, but at the same time, it's a great opportunity to make real improvements in the way we field information systems," Howell says. (NMCP is the new term for the NMCI.)

The portal team, in concert with the Navy chief information officer, established functional area managers to evaluate applications for specific fields such as logistics, finance, and human resources. This method has greatly simplified the process of choosing applications for the portal, Howell says.

Another major hurdle is the limited bandwidth aboard the Navy's 300 ships. Because of these limitations, some portal locations are disconnected from the network, sometimes for days. Once they reconnect, data and applications must immediately be synchronized and replicated so shipboard personnel have access to the latest information. For now, portal users must manually download updated files at each location, but Howell says these functions eventually will be automatic.

Security, especially when dealing with mission-critical information and lives, is crucial to NMCP. One necessary function is the ability to positively identify and authenticate all users. The system will include both authentication and a single sign-on, which provides every user with a unique access identification.

Another security issue is the limited space on Navy vessels. "Space for hardware is limited, yet we have to have support for multiple networks with different classifications. That means we may have to host one application two or three times, depending on the security classification, and that takes up a lot of room," Howell says.

REGULATIONS R US

Developing a global portal does not require reinventing the wheel. Regulations.gov, is a governmentwide portal for pending rules and regulations. It's currently under development. Building on past success, the project is off to a running start. The portal is being developed under the auspices of the Environmental Protection Agency because of its success with its EPA Dockets (EDOCKET) system. Representatives from 12 agencies and a consultant looked at government portals and deemed EDOCKET, an online public docket and comment system for EPA regulations, to be the closest in functionality and professionalism to the one they wanted to create.

The text- and image-based Regulations.gov will mark the first time federal regulations from all 180 agencies will be in one place, accessible and available for comment by the general public. When complete, the portal will allow citizens and business owners to search on any word and provide them access to open rules and documents, accompanying data such as cost-benefit and paperwork reduction analyses and risk assessment. It will enable them to comment on anything they find.

"If a motorcycle owner wanted to search for all rules and documents with the word 'motorcycle' in them, the search would turn up everything from all agencies that's open today. It even includes comments sent by mail that have been scanned into the system," says Oscar Morales, e-rulemaking project director for Regulations.gov and IT director for the EPA.

Although Morales and his team are patterning the architecture of Regulations.gov on the EDOCKET system, they are encountering issues that the much smaller EPA system didn't have to address. One is the massive amount of rules from numerous agencies, all with different processes and procedures. "By and large, we're on our own," he says. "We're trying to use as many best practices as we can by attending a monthly meeting at [the Office of Management and Budget] with other program managers from other e-gov initiatives, but there is no exact parallel to draw from."

But the most daunting challenge the Regulations.gov team faces is a cultural one. Only two federal statutes apply to the way agencies issue rules, which means many agencies operate differently. For example, some allow anonymous comments, while others require a name, address and other information. Some agencies publish all comments they receive, while others only publish some, based on their relevance.

"A lot of these business practices have to be standardized from an IT perspective before we can have any sort of national system," Morales says. He has created seven interagency groups to resolve this issue. One group consists of attorneys, another includes technical experts, and another includes budget specialists.

The sheer number of agencies Regulations.gov must deal with creates its own problems. While about 30 agencies have some type of automated rule-making systems, many of those systems are outdated and built with proprietary technology. The vast majority of agencies have no automated system at all-it's all on paper.

Decisions about migrating some legacy systems to the new Regulations.gov portal while decommissioning others create difficulties as well. Not surprisingly, those problems are more political than technical. "Here at EPA, we combined seven systems into one when we launched EDOCKET and saved money, and ultimately OMB wants to show on its books that it has saved money by doing the same thing," Morales says. "But it's a big deal. It's like Procter & Gamble telling Kraft it will save them money by taking over their e-mail system and combining it with their own."

To attack this thorny issue, Morales and his team have encouraged as much collaboration and participation by all agencies as possible, again with the help of the seven interagency groups. Each group is headed by someone from a different agency, and consists of 15 to 40 members. The Regulations.gov team briefs two to three agencies each week on its progress.

Morales expects the team to issue a request for proposals this fall, based on a blueprint and architecture it is developing with Documentum Inc. and Oracle Corp. The vendors developed the technology for EPA's EDOCKET system as well. Within two years, Morales expects the agencies that generate 80 percent to 90 percent of the rules to be on the system, with the remaining agencies up and running within four years.

ROOM TO GROW

Both Regulations.gov and NMCP are examples of maturing, feature-rich portals, and there are others in the planning stages. The first step toward building effective portals is determining what type of information should be included-something government is getting much better at doing, says Tim Hoechst, senior vice president of technology for Oracle Government, Education and Healthcare. "Those who have gotten better at choosing what's relevant are those who have identified and recognized what people want from their portal," he says. "When people go into a room with a whiteboard and try to decide what should be on a portal, they have less success than when people put up a portal and get feedback, evolving the content over time to meet what people want."

]]>

No Boundaries

Karen D. Schwartz — Fri, 01 Aug 2003 00:00:00 -0400

Getting collaborative systems to walk the talk.

taffers at the Army Research Lab in Adelphi, Md., must share information and work together on new develop- ments in high-tech areas such as sensors and robotics. For years, researchers relied on the telephone and face-to-face meetings to collaborate. Once communication technology began to mature, they shifted to e-mail and videoconferencing. Secure Web collaboration came next. Still searching for a more efficient and effective way to work together, research teams began using emerging collaborative technologies, among them, Documentum Inc.'s eRoom, to manage and modify project information shared among widely dispersed team members. Teams throughout the lab use a variety of other commercial and homegrown collaboration tools; it still is rare for more than one group at the lab to use the same tool.

In the past, leaders at the lab's Collaborative Technology Alliances program encouraged research teams to use whichever technologies they believed worked best. But increasing cross-team and cross-agency collaboration has led to a more centralized approach. "Collaboration is more important than ever before simply because of the diverse and multidisciplinary nature of many of the problems we're trying to solve today," says the lab's acting director, John Miller. He expects the organization soon will choose a single collaborative technology to use across the lab.

Like the Army lab, other agencies increasingly are using feature-rich collaborative tools to share information and improve the security of their communications. Such tools speed communication by providing features such as text chat, instant messaging and real-time online collaboration.

Vendors have gotten the message: More collaborative tools with more features are available than ever before. From the fairly simple, such as secure e-mail and instant messaging, to Web-based tools, to specialized technology for real-time collaboration or identifying experts in various fields across an organization, government agencies can take their pick.

PULLING TOGETHER

The Federal Emergency Management Agency runs several collaborative disaster management efforts and uses technology to increase efficiency and create teams of collaborators in disparate locations. "Disasters don't respect boundaries," notes Mark Zimmerman, program manager for FEMA's disaster management e-gov initiative. FEMA needs to help first responders across the country share maps and communicate securely in real time. To manage a variety of collaborative programs, including disasterhelp.gov, the e-gov disaster Web portal, FEMA adopted one commercial tool directly off the shelf and has reworked another to fit its unique needs. For first responder communications, FEMA uses Bantu Instant Messaging from Washington-based Bantu Inc. For its other requirements, FEMA customized the AppianCollaboration tool from Appian Corp. of Vienna, Va.

The frustrations involved with sending large attachments via e-mail led the F-15 Systems Program Office at Warner Robins Air Logistics Center at Robins Air Force Base, Ga., to try LiveLink collaborative technology from OpenText Corp. of Waterloo, Ontario. "We needed some way to get rid of the huge attachments and centralize them so people could simply get a one-line e-mail notifying them that a document was available for them to review," says Greg Lewis, integrated data manager for the F-15 program's systems integration division. As collaborators become more familiar with the technology, Lewis expects they'll begin using its white board, instant messaging and electronic signature features.

Among the most popular features of collaborative technologies is the ability to change and add to documents online in real time, while several people are working on them. "It creates a slice of time where you are all working together on a specific area, and it can consolidate the process, which creates efficiency," says Stephen Davis, who heads MTG Management Consultants LLC, located in Seattle. MTG recently recommended Groove Workspace, a real-time collaborative tool from Groove Networks Inc. of Beverly, Mass., for the Kansas Public Employees Retirement System. The MTG staffers and Kansas government employees working together on the retirement system use Groove to track information, set up meetings and keep notes and revise documents in real time.

Collaborative features such as improved audio and video, as well as the ability to see multiple people in a conference, each in separate on-screen windows, are popular among employee trainers and those who develop course material. Luciano Iorizzo, deputy director for the Army Training Support Center in Fort Eustis, Va., uses the CollabWorx Platform from CollabWorx of Syracuse, N.Y. "Instead of having a contractor visit Fort Huachuca [Ariz.], or sending a team of people to a [training] contractor's office ...we use CollabWorx Lite to look at training products online," Iorizzo explains. The organization uses a multi-user chat window to take meeting notes and create an instant record.

WISH LIST

Since the Sept. 11 terror attacks, some federal organizations are shoring up the security of their collaborative systems, while others are adopting collaborative technology to take advantage of its security features. "Unless you can do trusted communication in a secure way and provide audit, many people will refuse to collaborate," notes Gilman Louie, chief executive officer of Arlington, Va.-based In-Q-Tel. The nonprofit "venture catalyst" is funded by the Central Intelligence Agency to help develop cutting-edge information technologies for national security agencies. Louie says agencies and employees "won't be willing to share information unless they can track it, limit who can see it, and make sure people are accountable for the information they use."

Although the security features in today's collaborative tools are adequate for most government uses, there are some cases when more security is needed. The Homeland Security Department, for example, is "a real challenge, because it requires sharing information among all levels, not just in government but in public and private institutions," Louie says.

Users and developers have a growing wish list of features and functions beyond security improvements they believe would make collaborative technology more useful. Getting different collaborative systems to communicate is "a great and unsolved problem," says Marek Podgorny, who heads CollabWorx. Podgorny says the Defense Department is trying to solve the problem by enforcing a set of system standards for all collaborative systems. The General Services Administration has proposed creating a network to build a set of secure collaboration services and offer them throughout government. The project was derailed by the Sept. 11 attacks, but the idea has merit and should be revived, Podgorny says.

Another area ripe for development is visualization-the presentation of information on a shared electronic whiteboard so groups of people can easily understand it and work with it together. In-Q-Tel's Louie predicts collaborative technologists will mimic multiplayer computer games. "These games allow large numbers of people to share the same virtual space, meeting new people. You could take the same sort of technology and translate that into a collaborative virtual space," he says.

The biggest collaborative challenge is making tools easier to use. "They have to be easy enough for a 3-year-old, but powerful enough for a nation," Iorizzo says. "When industry gets to that level, we'll know we've got it right."

]]>

Wireless Insecurity

Karen D. Schwartz — Sat, 01 Mar 2003 00:00:00 -0500

Wireless technology comes with strings attached-securing sensitive data.

he lure of wireless technology is proving irresistible. It's even making converts of die-hard pen-and-paper enthusiasts. It's easy to learn, inexpensive, convenient, efficient and even kind of fun. With all those factors in its favor, who could resist the urge to communicate critical messages instantly while on the go-in the corridors of the Pentagon, during a high-level meeting, or walking to your car after you exit the building?

Government employees, like the general public, are quickly embracing wireless technology, and the trend shows no signs of slowing. According to Framingham, Mass., market research firm IDC, the market for wireless security technology will grow by more than 50 percent over the next several years.

This trend has government executives both applauding the increases in efficiency that wireless technology brings and scratching their heads over how to ensure that secure information doesn't land in the wrong hands-either inadvertently or deliberately.

It's simple for a hacker to penetrate a wireless government network. "The reality is that the tools someone would need to hack a wireless [local area network] are readily available at any major computer store. And software can be downloaded to easily decrypt Web traffic over the Internet," says Jason Conyard, director of wireless product management at Symantec Corp. of Cupertino, Calif.

"The technology was developed for convenience, not for security. As in so many things, security has been more of an afterthought than part of the planning process, although that's changing," says Sally McDonald, assistant commissioner for the Office of Information Assurance and Critical Infrastructure Protection in GSA's Federal Technology Service, which is moving into the Homeland Security Department. "I'd be very cautious about putting the family jewels in a wireless system today, though."

It's precisely those family jewels-the government's most sensitive, critical data-that have officials concerned about the true level of security in agencies' wireless networks and devices.

"There don't seem to be many concerns about wireless security except at the very highest level of need, once you figure in the technology, the encryption, the standards and the security policies in place today," says Rob Rowello, a principal at management consulting firm Pittiglio Rabin Todd & McGrath. Rowello, based in Washington, says the only way to truly satisfy the government's security needs is by customizing already secure encryption capabilities. In most cases, this involves adding algorithms that maximize security. To get to this level of customization, agencies generally buy off-the-shelf security products and enlist a contractor to tailor them to their specific needs.

Take the popular BlackBerry handheld device offered by Research in Motion Ltd.(RIM) of Waterloo, Ontario. Government employees often use the device to access data and e-mail while away from their desks. To make it secure enough for its users, the National Security Agency, which has taken the lead on wireless security standards for the intelligence and defense communities, required that the device incorporate extra-secure encryption technology.

The NSA uses the Secure/ Multipurpose Internet Mail Extensions (S/MIME) standard for wireless handhelds, an e-mail security standard that uses public key cryptography to ensure the highest level of security. S/MIME provides writer-to-reader security, including confidentiality, message integrity and sender authentication. RIM has worked with the NSA to develop a version of this standard acceptable to the intelligence and defense communities.

"We had already done the development for S/MIME, but [NSA] wanted to ensure that we could incorporate their own encryption algorithms into their own version of the product," says Anthony LeBlanc, a group director at RIM. "They have appointed a trusted third party to load this NSA-approved encryption algorithm on what is essentially a vanilla BlackBerry."

The new S/MIME standard is critical to secure interdepartmental communication-something that will be particularly important for the new Department of Homeland Security, notes Tony Rosati, a vice president at Certicom Corp. of Mississauga, Ontario. "If everybody is using S/MIME and you use a common public key infrastructure, you can have cross-departmental communication securely," he says.

But even with agencies' best intentions and vendors' best efforts, there are still concerns. The Defense Department has taken several steps to prevent leaks of classified information from a secure environment over an insecure line. Defense has banned wireless devices in the Pentagon and put a moratorium on wireless local area networks (LANs) until organizations can show how those networks could be locked down-something achieved by encrypting all signals traveling on the network and making sure the right people are connected by implementing some form of strong user authentication. The edict requires an assurance that all data being sent wirelessly has no viruses and no data modification and a method of ensuring that a person can't deny sending or receiving information.

To ensure the highest level of security in all wireless communications, the NSA is developing a common protocol as well as a series of standards and procedures, says Gil Nolte, deputy chief of end-user technologies. The NSA must certify any wireless LAN or wireless handheld device before it can be used by security agencies. The NSA recently certified a secure wireless LAN PC card and wireless access point to protect classified information up to the Secret level, and is working to certify other products.

Given the NSA's stringent requirements and vendors' ability to customize their products, is stringent wireless security possible?

Yes, with many caveats, Nolte says. "You must change your paradigm of what is really possible. In the untethered world of wireless, you can no longer rely on physical barriers to protect access to your communications medium," he says. "However, given awareness of your environment, use of evaluated and trusted secure wireless devices, use of complementary and interoperable secure 'wired' desktop devices, and a network management/security policy that strictly controls wireless access to your network-then yes, I believe that wireless security can be obtained."

In many cases, the efforts are paying off. Army Communications-Electronics Command in Fort Monmouth, N.J., hired Northrop Grumman's information technology sector of Herndon, Va., to rework its method of communication between vehicles. The goal was to allow communication of secure information without having to physically cable units together, says Dean Knuth, national account manager of wireless solutions in the company's IT Defense Mission Systems business unit. Using existing technology and standards, Northrop Grumman was able to deliver a mounted wireless system cleared at the Top Secret level by the FBI. A later phase will allow similar communication between cargo planes.

With the appropriate standards and comprehensive security policies in place, the only remaining issue is the technology itself-something vendors say is ready, willing and able to handle the task at hand.

"There are three tenets to security: You have to protect the packet of information, the pipe it rides on, and the platform it processes with," says Tom Goodman, director of business development at Bluefire Security Technologies of Baltimore and a former government intelligence agent. Many vendors can protect the information, including Certicom and RSA Security Inc. of Bedford, Mass. Similarly, many tools can secure applications and technologies, such as virtual private networks, that help protect the pipe. Companies such as Bluefire provide technology to protect wireless handheld devices.

READY, WILLING AND ABLE

For most communication needs, experts say wireless technology and awareness is sufficient to ensure adequate security, provided that agencies are diligent in enforcing policies and standards.

The National Institute of Standards and Technology, which sets the guidelines for securing unclassified information, has developed a handful of useful standards in the wireless arena. Federal Information Processing Standard (FIPS) 140 is an encryption criterion every product must meet before being used in the federal government. And FIPS 197, which mandates the use of the Advanced Encryption Standard, replaces the aging Data Encryption Standard.

In a November 2002 report entitled "Wireless Network Security," NIST notes that risks in such networks exceed those in wired networks because of weaknesses in wireless protocols. To mitigate those risks, NIST urges agencies to adopt stringent security practices, periodically reassessing them as technologies mature and threats change.

Although civilian agencies are required only to ensure that wireless technologies meet NIST's standards, many go above and beyond, striving to meet the NSA's more stringent requirements.

"Organizations that will be more involved with homeland security seem to be looking to the NSA. And even civilian agencies that in the past have had more relaxed guidelines for wireless security are looking to the NSA and the DoD for guidance," observes RIM's LeBlanc.

Even some state governments, which don't have to follow any federal guidelines, are paying attention. Florida follows federal standards as they apply to the data it uses from the federal government. But as federal requirements have tightened, Florida's requirements often must tighten along with them, notes Kevin Patton, manager of network services for the state's Department of Law Enforcement in Tallahassee.

Patton says wireless technology has become ubiquitous throughout the state's agencies-something that is a blessing as well as a curse. "It's so inexpensive to buy these commodity items and put in wireless access points, often without the knowledge of the department. But if they don't know about it, they can't make sure it's adequately protected," he says.

To solve the problem, state officials have begun assigning information security officers at each agency and training them in wireless security methods. The state now has an Office of Information Security and is creating the Florida Infrastructure Protection Center, which will lend technical support to agencies when their networks are under attack. TruSecure of Herndon, Va., is setting up the office and helping all state agencies analyze their information security needs.

Although Florida's applications don't require the level of security needed in Top Secret federal correspondence, security is a real concern-real enough that many organizations are sitting up and taking notice.

"The solution is part common sense, part technology, part standards and policies, part commitment and part training," Certicom's Rosati says. "And that goes for any government agency that wants to get to the 99.9 percent confidence level."

Rosati believes the policies and technologies already are there, and agencies can achieve that level of confidence very soon. "We'll definitely get there at the DoD level this year," he predicts. "In other agencies, there is still a lot of education that needs to take place."

Karen D. Schwartz is a freelancer writer specializing in technology and business issues. She has written for numerous publications, including Business 2.0, CIO, InformationWeek, Mobile Computing & Communications and Electronic Business.

]]>

Mapping a More Secure Future

Karen D. Schwartz — Sat, 01 Feb 2003 00:00:00 -0500

or years, police, fire, emergency teams and even the FBI have helped maintain security when the Olympics are held in the United States. But recent events pushed security at the 2002 Winter Olympics in Salt Lake City to a new level, involving not only traditional security forces, but also seemingly unrelated agencies such as the Federal Emergency Management Agency, Customs Service, and Immigration and Naturalization Service. But perhaps most noteworthy was the critical role played by a federal agency that didn't even exist before 1996.

During the Salt Lake City Olympics, the National Imagery and Mapping Agency provided critical geographic information to the FBI and other authorities. The data, which incorporated information from the U.S. Geological Survey as well as military agencies, enabled authorities to analyze the area around the Olympic venues for potential security problems. Although NIMA had supported national security special events in the past, its data became particularly critical because of elevated security concerns as a result of the Sept. 11 terrorist attacks, says Anita Cohen, director of NIMA's Office of the Americas. Now, the FBI uses NIMA data on all deployments that involve concerns about terrorist activity. Recent examples include last year's Sept. 11 commemoration in New York City and the Major League Baseball All-Star Game.

Geographic information systems (GIS), long considered technical and mundane-the purview of cartographers shut away in back rooms-have become a vitally important ingredient in keeping America secure. Geographic data has significant potential for use in a variety of homeland security missions, including intelligence analysis, emergency response, disaster recovery and border control. Current and comprehensive GIS information allows rescue workers and government officials to obtain information about any potential disaster-from suspected terrorist hideouts to disease patterns, evacuation routes and hurricane paths.

At FEMA, one of the many ways GIS data is used is to create maps of potential hazards, such as floods. FEMA is working on a Web site that shows maps containing multiple hazards, which will be helpful in avoiding and dealing with disasters, according to Scott McAfee, the agency's GIS coordinator.

The Interior Department also is working on a GIS-based system that can be used for security-related purposes. When operational, the departmentwide geolocator system will use global positioning systems to flag the location of all department facilities. The system also will include information on the type of facility, how many employees work there, the skill sets of each employee, and whether there is emergency equipment on the premises.

"If there is a flood or earthquake, it would be nice to know quickly how many employees you had in the area and where they were at the time," says Scott Cameron, a deputy assistant secretary at Interior who heads the department's GIS efforts.

Even states and municipalities are instituting comprehensive GIS programs-an important development because local governments traditionally have played the biggest role in emergency management. New York City, for example, commissioned Oracle Corp. and Plangraphics Inc. of Frankfort, Ky., to create a citywide spatial data warehouse to better collect, manage and disseminate mapping data across municipal agencies. When finished, NYCMap will function as a repository of geographic information that citizens can access during everything from natural disasters to terrorist attacks.

In fact, Plangraphics was already on the case before disaster struck on Sept. 11, managing a GIS system for the city's Office of Emergency Management, located in a World Trade Center building that was not destroyed. Ultimately, the facility at Pier 92 became the Emergency Information and Mapping Center, generating about 90,000 maps for the response and recovery operations, which ended in the summer of 2002, says Plangraphics president John Antenucci.

Other states are moving along with GIS efforts as well. Delaware has created the Delaware DataMIL, a Web-based mapping collaboration tool that uses USGS data. Maine plans to create the Maine Library of Geographic Information to help organize the state's spatial data.

But some states aren't as far along. Wyoming CIO C. William Campbell, for example, is trying to coordinate the GIS efforts of several state agencies to create a comprehensive GIS infrastructure. Once the data is coordinated, Campbell will work to collaborate with Wyoming's sister states to make GIS information available across borders. The goal, he says, is to develop a coordinated system of GIS information that can be used for both natural disasters and terrorist attacks.

BRINGING IT ALL TOGETHER

No one would argue that geospatial data is critical to homeland security efforts. The word clearly has spread: Virtually every federal agency has a high-priority initiative in the geospatial arena, and Steve Cooper, President Bush's choice to be chief information officer at the Homeland Security Department, has publicly stated the importance of coordinated data.

The new Homeland Security Department is expected to take the lead role in ensuring coordination of geospatial data from organizations at all levels of government. That will involve collecting comprehensive GIS data from at least 133 cities, coordinating geographic standards and, most importantly, bringing together information from federal, state, local and tribal agencies.

It's a mammoth job by any standard. Just ensuring that cities and states have reliable and digitized geographic data is a challenge. "There are 3,300 counties in America, and virtually none have up-to-date and accurate imagery maps-something first responders need when they are going from one county to another for a major incident," says Mark Brender, executive director for government affairs at Space Imaging, a Denver-based company that supplies information derived from space imagery and aerial photography.

Once state and local GIS information is complete, an even more daunting task awaits-creating a single comprehensive system that incorporates all available geographic data-a geolibrary of sorts. "Right now, if I'm looking for a particular type of information, I have no way of knowing if it even exists. We need a system that enables people to access and plug in and use data for any legitimate purpose, whenever and wherever they want, knowing with confidence that it's accurate, timely and nationally consistent, " says Ronald Matzner, who serves on the Federal Geographic Data Committee, an interagency group. Matzner, who previously worked at the Office of Management and Budget, is now a private contractor with TIE Inc. of Alexandria, Va.

Several initiatives are under way to create a comprehensive GIS system. One is the National Spatial Data Infrastructure (NSDI), created by a 1994 executive order. The NSDI is a system of technologies, policies and standards to help promote geospatial data-sharing throughout government, the private sector, nonprofit organizations and academia. The NSDI includes more than 200 servers housing GIS-related data, such as FEMA's flood maps, the Census Bureau's Topically Integrated Geographic Encoding and Referencing system, USGS topography and hydrography data, and Transportation Department road maps.

That's a great start, but at the moment, the system isn't comprehensive and doesn't have a user-friendly and powerful portal. To address that issue, the Interior Department is coordinating the Geospatial One Stop program, a presidential initiative to develop a Web portal for geographic information, create common data content standards, and establish interoperability specifications. All federal agencies will be required to detail existing and planned geographic information collection activities on Geospatial One Stop.

When complete, the site will be useful in responding to crises, says Interior's Cameron. "The notion is to make it possible to go to one Web site and through a portal to get at data from a wide variety of sources covering a particular geographic area," he says. "By making transportation or population or hydrology information available through one Web site, you'll save time that first responders would otherwise have to spend trying to figure out the lay of the land."

But building a consistent, comprehensive geographic data repository will take time. In addition to the problems inherent in requiring state and local governments to shore up their GIS data, some federal agencies still haven't coordinated their own efforts. For example, FEMA is a lead agency in the GIS arena, but its internal approach remains fragmented. "As it stands right now, there are isolated pockets of GIS where people are taking advantage of it, but there is no real centralized function," McAfee says. He says agency leaders are working to rectify the situation.

For now, the major stumbling block is money at the federal, state and local levels. Although the idea of a national geographic data repository has been approved at the highest levels of government, investments needed to reach the goal have lagged behind. "There should be more funding, but so far it hasn't happened," Matzner says. "Right now, you hear numbers like $67 billion being spent on homeland security, but not one nickel has been spent on geospatial or geographic [concerns]."

Today, NIMA, USGS and other agencies working on geospatial data projects are performing much of their work with inadequate funding. "We've got enough money to support specific threats to particular cities or high-profile events like the Olympics or the New York City commemoration, but it's episodic," NIMA's Cohen says. "Until somebody recognizes and funds this at the national level, we won't have anything but episodic coverage."

Funding also is crucial for states, especially since many simply can't afford to coordinate geographic data in the manner necessary to achieve the federal government's goals. The Homeland Security Department is the logical place for geographic information systems funding grants to originate, many believe.

To rectify the funding issues and move forward, geographic data must become a priority at the Homeland Security Department. Cooper has said publicly that GIS is a key part of the department's vision and has committed to finding the money to develop the type of comprehensive data repository needed to support national security.

"We'll get there. Five years from now, we'll have structures in place to allow us to access information wherever and whenever we want for legitimate purposes and to allow decision-makers to make better decisions faster," Matzner says.

]]>

Searching for Order

Karen D. Schwartz — Wed, 01 Jan 2003 00:00:00 -0500

n the ongoing battle against terrorism, information about potential attacks must be confirmed or discredited quickly and thoroughly. If pertinent information isn't found fast-or if pieces of vital data are left undisclosed-the future of the country could hang in the balance.

Suppose an intelligence analyst is asked to investigate rumors of a planned attack. Ideally, he will have access to terabytes of data in hundreds of classified and unclassified databases throughout the government. He sits down at his computer, typing the words "terrorist," "al Qaeda" and "flight school" into his system, hoping to pull up valuable data on flight school registrants, terrorists affiliated with al Qaeda, known aliases of confirmed terrorists and other vital information. It's imperative that he misses nothing.

Whether he succeeds depends heavily on the search and retrieval technology his agency is using. That could be off-the-shelf information retrieval software that organizes content, performs searches and presents results. Or it could be a Web-based technology, such as Google, Yahoo or Oracle's UltraSearch, all of which categorize, index and rank results.

Each method has staunch supporters. In the first category, Verity Inc. of Sunnyvale, Calif., has customers at the State and Defense departments, among others, while competitor Convera (formerly Excalibur) of Vienna, Va., has customers at the Social Security Administration, IRS, and the Agriculture, Defense and State departments. Other competitors include Thunderstone Software LLC of Cleveland, with customers at Defense, the National Weather Service and Agriculture; and OpenText Corp. of Waterloo, Ontario, with users at the Air Force and Navy.

The Defense Technical Information Center (DTIC), which creates libraries and information retrieval systems for organizations throughout Defense, uses information retrieval software. Depending on a customer's requirements, DTIC might choose technology from Verity, Thunderstone or Convera to develop the search capability, notes Carlynn Thompson, DTIC's director of component information support.

"Each one of them does certain things more robustly," she says. "If you have a dedicated user community that needs [to do complex] searches, we might go one direction, but if users need sound bite-type retrieval, we might go in another." In the case of GulfLink, a system that covers issues related to the Gulf War, DTIC developed a search and retrieval system that incorporates all three vendors' systems. To guide users, DTIC provides a checklist of capabilities and directs users to the most appropriate system based on the answers it receives.

The approach has merit, says Rob Rowello, a manager in the Washington office of management consulting firm Pittiglio Rabin Todd & McGrath. Technology offered by such companies as Verity, Convera and others can predict what users need, allowing them to have information ready in a format available to them before they ask for it, he says. And increasingly, these tools can deal with both structured and unstructured data, up to a point.

One example is Verity's Export technology, which attempts to add more structure to unstructured data through categorization and personalization. "Verity-like solutions have the ability to predict what you might need based on your prior search history. This predictive capability is useful to people who might not know exactly what they need, or who are trying to narrow in on a specific "needle" of information within a large "haystack" of data, Rowello says.

Search-and-retrieval engines are newer to the federal space and claim fewer customers, but their use is growing. One of the top search engine firms, Google, recently released its Google Search Client, which is used by several military and intelligence organizations. While this model sometimes returns irrelevant data and is less likely to correctly categorize information, it can draw from more sources and can index information it doesn't own or store, notes Tim Hoechst, senior vice president of technology for Oracle Government, Education and Healthcare.

Both information retrieval systems and search engines that categorize data in a Web-based infrastructure can be made secure, but security often is more of a concern in the first model, where content is centrally stored. In the search engine model, federal systems typically run on closed networks, addressing security concerns.

Those who see Web-based search engines as the basis of intelligent information retrieval say their popularity is destined to grow. Such systems "can organize information in a simple way that benefits users immediately," says John Piscatello, a product manager at Google, which is based in Mountain View, Calif. "Inevitably information changes, new and better sources become available, or something gets reorganized and doesn't work anymore." With this type of solution, "software algorithms can identify the best quality information to deliver the top results," he says.

Some believe the real answer lies in a combination approach, taking the best from both of the main types of information retrieval technology. "If we first use search engines to cull out what we know from what we have, we can then build more centralized, structured sources from what we know," Hoechst says. "If I were doing this, I would set up a content management system with a data librarian to store and manage my organization's core documents so everything could be neatly organized, thoroughly maintained and easily found. I would also set up a search capability of the second type to be used as a secondary search mechanism when further searching is required."

Whatever the approach, one thing is clear-more and more government entities will take advantage of advanced information retrieval systems. In a recent study, Delphi Group of Boston forecast that the market will expand at a rate in excess of 20 percent through 2004. Driving that growth, the study says, will be the adoption by both government and leading companies of such technology.

The FBI is just beginning to create an information retrieval system, replacing its mainframe architecture with a Web-based approach. Contractor SAIC will work to develop a search and retrieval system that incorporates the reams of information that are available today only on paper. The final product, called the Virtual Case File, will allow FBI personnel to search case information, including both text and images, says Mark Tanner, acting assistant director of the FBI's information resources management division.

"If I want to know what the FBI knows about Mark Tanner, I could put in the name and get back a linked diagram that shows all of Mark Tanner's identifying data, that he was associated with this person because he worked with her and with that person because he made a phone call to him," Tanner says. "Then I could begin to mine through that data to see what the investigative activity was that drew those relationships." Tanner's team has not yet chosen a specific information retrieval technology, leaving it up to the contractor when the time comes.

ACHIEVING THE PINNACLE

The problem with today's search technologies, experts say, is that often they don't scour the entire body of knowledge available to an agency. Although a typical search may gather valuable information from myriad sources, it may not include relevant data from systems outside the agency or unstructured data in the form of white papers, news reports or e-mail messages.

The problem gets worse in the case of cross-agency searches. Developing an intelligent search and retrieval system that works across agency boundaries is fraught with difficulties. Not only must such a system handle both structured and unstructured data, it must be monitored for constant updates and deal with the varied security clearances of federal employees seeking information.

The State Department has worked hard to meet such challenges. State, charged with managing a data repository on all arms control treaties signed by the United States, has spent significant time and effort determining how best to make records available to people within and outside the department who work on arms control and international relations. Eventually, department officials migrated from a home-grown search system to a Web-enabled system from Convera. "We needed something where we could incorporate new databases very easily, and something that could maintain a distributed system but still provide a single point of access," says Ned Williams, deputy director of verification operations in State's Bureau of Verification and Compliance.

Williams and his team first did a proof-of-concept test with Convera in 1999, as the agency prepared to deal with the Y2K computer problem. The group set up a task force to monitor Y2K events worldwide from the State Department's perspective. "Since we had so many different agencies involved, that meant a lot of different formats for information and a lot of printed text," Williams says. "We needed something that would allow us to cross-index across different platforms."

CHALLENGES AHEAD

Integrating information from a variety of sources is clearly the primary challenge facing the federal government in developing systems to search and retrieve information, but it's just one of many. A second daunting task is dealing with the inherent complexities of security levels and access.

One way to get a handle on the challenge of integrating information from a variety of sources is to enforce the Government Information Locator Services (GILS) standard. While the standard is required of all federal search and retrieval systems, vendors are just beginning to realize the merits of complying with it, Thompson says.

Once systems are GILS-compliant, agencies will be better able to connect with databases from other agencies. More importantly, they will be able to easily transfer data and the way it is cataloged to another search tool without much retrofitting.

"We want to move as quickly as possible toward interoperable interfaces, because when you have that, you can pull in resources from lots of different maintainers and collection owners," says Eliot Christian, an architect of GILS, which is headquartered at the U.S. Geological Survey. He cites the example of FirstGov, the governmentwide Web portal. FirstGov, he says, started out by running information retrieval technology from Inktomi Corp. If FirstGov had used the GILS standard when it dropped Inktomi and went with FastSearch, a Norwegian information retrieval technology, it would have been able to leave all of its Web pages and cataloging alone. Instead, FirstGov had to re-catalog pages and re-enter search criteria, slowing the transition process.

DTIC is one of the agencies pushing for GILS compatibility. "As long as there is a GILS standard in the search engine, external organizations can come in and grab your data," Thompson says. "From a homeland defense perspective, we want to be able to share a lot of data among emergency management organizations, and using the GILS standard would help."

GILS could help combat the lack of standardization of search and retrieval tools even within agencies. In the State Department alone, for example, some bureaus use Convera while others use Verity.

Once federal agencies have comprehensive, functional and intelligent retrieval systems in place, the next step would be to use them to extract important pieces of information from text sources and mine them for unusual confluences.

"If you see, for example, that there is a co-occurrence of two terms within a certain window of time, you start to make progress in the war between terabytes of information and thousands of people processing that information," says Prabhakar Raghavan, chief technology officer at Verity. It's a relatively new idea, and one that Verity plans to add to the next release of its search tool, due in 2003. Raghavan says there is interest in the concept from the intelligence community.

The concept of further processing retrieved content holds great promise, DTIC's Thompson says. To make it work for most agencies, information retrieval vendors must combine the best of today's analysis tools (which search for the most frequently used words and perform document comparisons) and visualization tools (which can be used to search for emerging concepts that appear across multiple documents). As these tools become incorporated into more and more systems, search and retrieval will begin living up to its potential, she says.

]]>