Handing Over the Keys to the Kingdom

hen Jim McBrayer took on the duties of chief information officer for the Army Simulation, Training, & Instrumentation Command (STRICOM) in 1992, one of his first decisions was to outsource virtually all of the command's information technology functions-everything from procurement and asset management to customer support and network management. It was a simple decision, he says. Not only was IT far from a core competency for the command, which provides the Army with training devices, simulations, simulators and instrumentation, but the organization was losing technical employees to attrition, retirement, and even death. McBrayer quickly saw that outsourcing most IT functions to industry could solve those problems.

Today, contractor Northrop Grumman Corp. administers, maintains and upgrades STRICOM's IT network management infrastructure using CA-Unicenter network management software from Computer Associates International Inc. With very little input from McBrayer or his staff, Northrop Grumman is responsible for the health of each STRICOM officer's desktop computer, the software that resides on it, the wires that carry the officer's e-mail, and the servers that store his messages and send them along through the STRICOM intranet to their intended recipients.

What Northrop Grumman does for STRICOM-and what many other contractors do for other federal agencies-is handle the day-to-day management of everything related to the transfer of information from one person or computer to another. In most cases, that includes 24/7 monitoring of hardware and the connections among hardware devices, the applications that run on the hardware and provision of system security and help desk functions.

STRICOM's approach is becoming common among federal agencies, and for good reason. Having an easily replaceable technology staff that can grow and shrink with the workload makes outsourcing network management an attractive option. Accountability is another positive factor.

"In general, the government is looking for one throat to choke," says William White, regional vice president for Sprint's government systems division. Sprint plays a role in network management at many agencies, including the Federal Reserve, U.S. Courts, the General Services Administration, and the Veterans Affairs, Energy, Education and Justice departments. By outsourcing network management to one entity, White says, agencies know where to go to get their problems resolved quickly.

Of course, there are exceptions to the outsourcing trend. Intelligence agencies, for example, often have such strict security requirements and confidential data that few private companies can qualify to handle their networks. And many parts of the Defense Department, often reluctant to relinquish control, also prefer to handle network management in house.

Wholesale outsourcing of network management can work well, but only if agencies maintain some level of control over the process. Keeping internal control over the process-even if that control is supervisory and high-level - is the key to success, say industry observers and vendors. "It made sense for us to outsource network management, but we didn't want to hand over the keys of the kingdom. Control was paramount," McBrayer says. "We own the topology, access, standards and requirements. It's seat management, but it's supervised and governed seat management."

Seat management is a method often used by contractors to coordinate and oversee the day-to-day operational control and support of desktop computers, servers, applications and networks.

For the Environmental Protection Agency, maintaining control has been something of a mantra over the last five years, as contractor Lockheed Martin Corp. has managed many of the agency's technology resources, including its network. But agency leaders are so pleased with how well outsourcing network management and associated technology functions has gone that they are planning to give up some of their control when putting their follow-on contract up for bid. The new contract, to be let by the end of the current fiscal year, will retain the outsourced network management arrangement while moving to a managed services approach, says Jody Zeugner, EPA's telecommunications program manager.

"Right now, if we run out of horsepower on a computer and need to bring in another processor, a federal employee goes to the contractor and tells him what type of processor to install," Zeugner explains. "With the new contract, we're trying to give the contractor even more responsibility in the decision-making process so we can use our scarce federal staff to concentrate less on monitoring contractors' day-to-day activities and more on dealing with our EPA customers."

Zeugner admits that relinquishing some control adds an element of risk to outsourcing network management. To mitigate that risk, the agency plans to phase in the new approach over several years and retain crucial elements of control. "We're not handing over the keys. We retain the responsibility for infrastructure security," he says. "[The contractor] will always have to adhere to service levels and provide a lot of reporting on security incidents. We'll always have somebody on staff who manages the contractors." The term "service levels" refers to the degrees of maintenance, upgrading and fixing the contractor is required to perform in each area (hardware, applications, etc.) covered under the contract.

Moving to managed services-something the Treasury Department also plans to do when it replaces its aging contract with TRW for IT services in a few years-can actually increase the amount of control agencies exert over their outsourcers, says Mayi Canales, acting CIO at Treasury. "You define outcomes based on your business. If I need to have secured network services or 24/7 network coverage with the ability to be back up within 60 seconds, all we have to do is define those outcomes and the outsourcers carry it out," she explains. Treasury employees define the outcomes based on input from market research firms like Gartner, Giga Information Systems and Meta Group. They then communicate those outcomes to the appropriate contractors.

Agencies that decline to retain control over network outsourcing often end up paying in money, time, current technology and overall control. "If an agency is going to outsource, it should retain title to the networking software and any other products being used for network management. That keeps their options open on the back end of the engagement," says Peter Scalone, area manager for Computer Associates' federal systems group.

If agencies fail to maintain control, chaos can ensue, he says. Agencies can be held hostage to their outsourcers at contracts' end, because the contractors hold title to the products used for network management. The follow-on contractor may not be able to perform needed upgrades because the agency doesn't hold title to the products. A well thought out exit strategy is as important as the decision to outsource the operation. If the plan doesn't work or the contractor fails to meet expectations, the agency should be able to cut its losses and move on.

Another method of retaining some degree of control over day-to-day network management is by retaining what Sprint calls "read access." Sprint installs terminals in agencies' facilities so "they can see exactly what we see in our network management center so they have the comfort of knowing what's going on in their network," White explains. White calls this a "co-management arrangement," although he admits that agency employees have no way to override what they see happening.

But if you give up most of your control over network management, doesn't security become a concern? No, say agency leaders, who insist their security concerns haven't risen even since Sept. 11. "All of the top-secret systems being developed for us are manufactured by industry. Industry is as qualified or more qualified in security provisions than government," McBrayer says. "The events of the last year haven't impacted our vision or processes at all." In some cases, using an outsourcer for network management can actually add a level of security, Scalone notes. "By using an outsourcer, agencies can hide who the end user is, which can be important in the intelligence community," he says. "You can blanket things in different ways, so it's not apparent who all the players are."

But there is more to the security equation. "Authentication and authorized access to networks, systems and applications are vital in today's extended network environments, particularly given the need for system-to-system interchange of information and increased need for collaborative systems and data sharing," Scalone says. He also recommends making sure the network infrastructure is manageable and can be expanded, that applications work well together and that appropriate controls are in place so the outsourcer can oversee and review hardware, software and networking on a consistent basis.

The growing number of federal agencies choosing to outsource network management are using a variety of procurement methods to purchase the services. While some agencies prefer large, pre-negotiated contract vehicles from federal agencies such as the Defense Telecommunications Service and the General Services Administration's Federal Technology Service (FTS), others choose to set up their own network and telecommunications contracts.

The EPA, which is just about to issue a follow-on to its current contract with Lockheed Martin, has chosen to switch strategies. Although it developed its own request for proposals for all previous contracts, this time, it has chosen to procure network management services through FTS' Millennia contract. The reasons, say EPA's Zeugner, include timesavings and a streamlined procurement approach. "All the major players in the industry are already qualified on the contract," he notes.

Other agencies prefer to go it alone, bypassing predeveloped contracts in favor of creating their own. Reasons vary, but include lack of flexibility, an inadequate contract life cycle, or unique requirements that can't be accommodated in preexisting contract vehicles.

For the Treasury Department, which is just beginning to decide how to rework its existing contract for network and security management to encompass managed services, the decision of whether to go with a prenegotiated contract or develop its own will depend on many factors. "Treasury is very diverse. We have security requirements, law enforcement, economic policy, trade, foreign asset tracking. If we're outsourcing all of our network management, backup, recovery and telecommunications, we need to make sure we have a very diverse support system," Canales says. "We'll evaluate all options."

Clearly, there is no one-size-fits-all solution for choosing a network management outsourcer. But no matter which method an agency chooses, experts say, the most important thing is to create an environment in which network management is performed reliably, equipment and software are upgraded as often as possible, and IT staff are available to handle day-to-day network management issues as well as emergencies and potential security breaches. "At this point, networking should be dial tone-when you pick up your phone, it works. That's the kind of system that should be in place with an outsourcer," McBrayer says.