If you have been at a recent Washington Capitals hockey game when the opponent scores a goal, you know the crowd routinely shouts out “Who cares!”

Last week, Steven VanRoekel, Federal CIO, released the long awaited OMB plan for the Federal Risk and Authorization Management Program, or FedRAMP; which reminds me to be thankful for pronounceable acronyms. The purpose of FedRAMP per the implementing OMB memorandum, is to “provide a cost-effective, risk-based approach for the adoption and use of cloud services”.

So were I a federal CIO, which I was, or an executive working for a provider to the Federal Government, which I am, what are the short- and long-term implications?

First, and most important, I think there are short- and long-term implications, which is not always the case with long awaited announcements and OMB produced memoranda.

However, I suggest the longer term implications tie more to the general topic of infrastructure rationalization than focusing specifically on the ever popular and impossible to avoid ongoing cloud frenzy.

It has long been my contention that while the IT focus in commercial organizations should be top-down to be most effective, in federal government it is the opposite: better off focused on a bottoms-up approach.

This difference reflects how funding, or revenue, is achieved.

In a commercial company revenue comes in from customers, is filtered through a sales organization and the decisions are controlled by executive leadership. IT leadership focuses on using the defined strategic goals to drive derived IT goals down into the rest of the organization.

In a government entity, funding comes through the appropriations process, and except in very rare circumstances, such as the Veterans Administration, is associated with the individual components that make up larger agencies or department, rather than with the overall mission of the department.

The real value of initial cloud implementations is they represent the next big step in allowing federal CIOs to get a handle on what IT provisioning is going on within the organizations.”

Because of this, the first hurdle for government CIOs is overall situation awareness; discovering what IT assets exist and figuring out how to put in place configuration management to keep track of those IT assets.

To just take one example, when OMB started pushing to consolidate data centers, it took months or longer to get an accurate inventory of how many data centers there were, let alone put together a plan to consolidate them.

Reducing costs is a reasonable goal to associate with cloud computing. Be warned that recent articles question whether cost savings will be large as some are articulating. See, for example, the discussion I participated in this last Friday on the Federal News Radio Countdown, hosted by Francis Rose.

The real value of initial cloud implementations is that they represent the next big step in allowing federal CIOs to get a handle on what IT provisioning is going on within the organizations. Every application that is moved to the cloud is one that now is visible to and can be managed and measured by the CIO. Consistent security approaches can be taken. And it is the inconsistencies, not whether an application is internally hosted or externally hosted, that lead to security weaknesses.

There are a few additional specifics from the OMB memorandum that I wanted to note.

First, the process still has some time before it will be put into place. The goal is to have the FedRAMP PMO, to be run by GSA, operational no later than 180 days from issuance. This follows interim steps including establishing formally the list of security controls, creating a Concept of Operations, and creating a charter for the Joint Authorization Board (run by DoD, DHS, and GSA) dealing with governance.

Second, it will interesting to see how robustly the effort will be funded over the next few years. Congress has not been consistently supportive of shared service implementations. From my stint at DOT, I remember the difficulties that OMB had keeping the various eGovernment initiatives sufficiently funded.

While outside the scope of this write-up, I contend that one reason that DoD continues to make progress in this area is because of the existence of a home, what I refer to as a “center of gravity”, for managing the resulting shared infrastructure, namely DISA. While I have nothing but the greatest admiration for Richard Spires and Casey Coleman, running shared services is not currently the primary mission of either DHS or GSA respectively.

Third, I found it interesting that both the CIO and the chief financial officer need to certify together the list of all cloud services that cannot meet FedRAMP security authorization requirements within their agency. The dividing line between what is expected from CIO’s and CFOs regarding program management is not always clear cut, and is made even less clear when the CIO has been folded underneath the CFO.

In April, 2009, I asked the question “Why are 42 or so different procurements now looking at clouds?” I was quoted as saying that I thought that instead cloud computing could be offered in a way … in which any federal agency can access a handful of major … contracts.”

And now a little over 2 ½ years later, we are only six months away from saying “You can.”

Daniel Mintz is chief operating officer of Powertek Corp. He served as CIO of the Department of Transportation from 2006-2009.

The opening night keynote speaker Scott Klososky, presented some interesting points but I felt left out some key issues; probably a bit of an unfair feeling since he only had an hour to cover a lot of material.

I wrote up my summary of what I thought was missing at AOL Government where I am a contributing blogger:

http://gov.aol.com/2011/10/25/reflections-at-elc-why-klososkys-keynote-missed-the-mark/

The first, and as of now only, comment came from Scott Klososky himself who graciously said he agreed with most of my points.

Best of all, they reached back into ancient history, and asked me to moderate a panel Friday, September 9th, from 10:15 – 11:15, entitled Moving Into the Cloud – Practical Experience.

We will four great panel members:

• Fred Whiteside, NIST; who will focus on the Government policy issues
• Wolf Tombe, Customs and Border Protection, DHS; who will take the perspective of the Government implementor
• Bob Hansmann, Blue Coat; who will discuss what it is like to be a commercial provider supporting cloud initiatives
• Dmitry Sokolowski, BAH; who will talk about the issues in providing support as an internal to Government consultant

It occurs to me that a lot of my writing starts with that phrase. I haven’t yet decided if I use it because I learned a lot there or because I think people will be more likely to listen if I start a discussion with it.

Regardless, when I was at the Department of Transportation we would do emergency training. What if there was another 9/11 attack, what if there was a cybersecurity attack, and so forth. Some of us got to go to semi-secret locations and stay underground, walk down long corridors with lights along the top casting shadows, lots of clacking of shoes on the floor, eating together in the cafeteria, periodically getting messages of incident updates, doing reports, watching the pretend (or real) Secretary, talking to the (always) pretend President, and so on. It was pretty cool, like getting to go back to camp for a day. Some of the exercises were pretty extensive involving multiple Government agencies including in some cases State and Local governments.

I was reminded of that recently when the great Washington Earthquake of 2011 hit. Many Federal agencies and departments practice implementing their COOP training. For the uninitiated, COOP stands for Continuity of Operations. COOP planning is actually pretty serious stuff dealing with how to ensure an organization can keep its essential functions running in an emergency. When the organization is one that many citizens depend on, COOP planning is very important.

In any event, at one Government agency, when the actual emergency happened, the earthquake, everyone scattered to leave their building.

On a side note it was only when some of us were outside, like me, that we learned that we had done exactly the wrong thing according to FEMA. Evidently I was to fling myself under a heavy table or find a load bearing door or something similar and stand there, so as the ceiling fell in, it would not fall on me. My instinctive reaction of getting off the second floor before the building collapsed was completely wrong, thus proving once again that no one should pay attention to me when an earthquake occurs.

Back to the agency in question, when all of the IT staff involved in COOP support tried to get to their COOP places, the building guards, who evidently weren’t involved in the emergency practices, and also evidently were not staying under a table, would not let them do so. After some argument, the IT staff gave up and left. So much for COOP training.

So what are the lessons to be learned here. I have two (of course).

First, in my opinion, emergency training is, as are most things, upside down. We spend all our time practicing the procedures we have set up to deal with an emergency. While this is useful and should continue to be part of emergency training, in a real emergency it is the unexpected that happens. It is, in fact, because of the almost certainty of unexpected circumstances that an event becomes an emergency.

Instead in my opinion, the major focus of emergency training should be to help people figure out what to do when they do not know what to do.

In true emergencies, everything breaks down. The expected leadership doesn’t show up and/or isn’t able to communicate effectively to the people who need advice and leadership. The congregation point where people are to meet becomes inaccessible. Something happens that is not in the plan at all. Chains of command fall apart because many of the links are gone.

In all of these cases, actions still need to be taken; collective behavior implemented; goals defined; and problems solved. People who are not prepared to deal with what to do when they do not know what to do, panic or take what often in retrospect are irrational paths of action. It is these issues that emergency training needs to focus on more than it does currently.

My second lesson is that much of this training requires some kind of virtual environment. One of the biggest problems when an emergency hits is problems with communications. However with almost all emergency training if you kill the communications, the training exercise would just stop. The training participants, and the people providing direction for the exercise, would not be able to interact.

In a virtual environment on the other hand you can do almost anything. If a major part of such training is to get individuals used to situations where they have to improvise as a stated goal, virtual environments become a much more plausible way to accomplish this.

A student wrote:

“Who has time to share information? Codifying one’s knowledge can be a very time intensive task. While many people share their knowledge via blogs, wiki’s and other such tools, getting individuals who are already overburdened to do this can be a challenge.  I’ve seen organizations try to force its employees to do this kind of thing resulting in very shallow products.”

From this conversation, I started to consider how this relates to some of the work my company, Powertek Corporation, www.powertekcorporation.com, has been doing with knowledge management. It seemed to me that in the end in the simplest sense knowledge management like information sharing solutions are all built upon the foundation of tagging information in a fashion that allows retrieval.

In the interactions I have had with Jeff Jonas, http://jeffjonas.typepad.com/, one of the smartest people I have met who studies all of this, he has impressed on me the importance of tagging information when it is ingested. Doing so afterwards is something liking trying to add the Dewey Decimal coding to a book after you put it on the shelf in the library. It would take so long to find the untagged books you typically wouldn’t get around to it.

If I can digress for a moment, and since this is my blog I guess I can write anything I want anyway I want to, while I was at the Department of Transportation and while watching what Vivek Kundra is trying to do with dashboards, I have pondered a similar issue – what tends to make some performance measurement systems and dashboards successful and some not.

I have come to believe that those dashboards whose metrics are automatically generated by the performance of the action being measured have a greater chance of surviving over time. The reason is that whenever an intermediate step is needed to generate the dashboard entries, organizations have many reasons to reassign or eliminate altogether the resources used to perform the intermediate step. Thus useful and even pretty successful measurement systems often last only as long as their sponsor stays and stays engaged.

So the common thread would be that the ‘sharing’ and ingesting into the knowledge management system, that is the tagging, should be accomplished when the information is created.

Looking specifically at knowledge management implementations that I am familiar with, most do the knowledge management part after, and often long after, the knowledge creation. The question then becomes whether it is necessary, or practical, to move tagging and ingesting to the actual knowledge creation.

I am sure experts in the field already know the answer to these questions, but if so, they often don’t seem to have sufficient impact on the large number of unsuccessful knowledge management implementations.

Each semester I find I learn a great deal from reading the papers and interacting with the students about them.

I have drawn three conclusions about policy creation from my past experience at the Department of Transportation, modified slightly from the current set of papers:

(1) Policies whose impact cannot be measured cannot be enforced.

(2) Measurements which are not created in some kind of automated fashion will not persist.

(3) Measurements which are not made visible don’t exist.

I have been part of a number of panels over the last few months which focused on the subject of Cloud Computing, the current state of the’art’, and as usual what barriers exist that need to be dealt with to make it easier to utilize. There certainly has been much written about it both pro and con and it remains a high-priority focus for the current Administrator and, in particular, Vivek Kundra, the Federal CIO.

For one of the graduate classes I am teaching this semester at the University of Maryland University College, the subject is touched upon as part of a broad look at technology changes and implications. The topic generated much comment by my students.

It seems to me that the subject starts from the wrong side of the discussion, the technology side. When the discussion turns to the impact, it starts at an important but not the most important concern, that of return-on-investment (ROI).

Today and in a number of future blog entries, I will talk about what I think are the current important issues associated with cloud computing. Today I start with what I perceive as a foundational issue, cost, but later in the week will move to what I believe are more important considerations and goals.

Note: I do not plan to rehash what cloud computing is, or is not, there are too many other write-ups that do this. Look at the National Institutes of Standards work on such definitions, I think it is pretty good.

SAVING MONEY. To me the least important, though I hasten to say not unimportant, goal of cloud computing is to reduce costs.

In the simplest sense, the provisioning of IT services costs money because of an overhead cost associated with buying computers and putting them somewhere as well as the operating costs of running them. When you spread that cost over more users then the cost per application usage goes down.

With cloud computing you have the potential, emphasis on the word potential, to achieve these savings by running multiple applications on the same computing equipment. This can be achieved when you use techniques to allow more than one application to run at the same time on the same computer increasing its utilization or when the peak levels of demand are different for each application, or both.

This much can be achieved by using what is called a private cloud, that is one that you run yourself. For organizations that have not centralized the provisioning of IT services, this one change can have a significant cost savings. The barriers to doing this are to some extent technical, it is necessary to gain experience in how to do this; but in large part cultural and organizational, it requires different groups within an organization to plan and work together.

Historically, computer usage in data centers is amazingly low, on average between 5 and 15 percent of capacity. By running multiple applications at once, using techniques such as virtualization, this capacity usage can usually be brought up to over 50% and often higher. This reduces the need for additional computing resources and cuts down on environmental costs such as cooling and power.

Moving to a more public cloud, which is one provided outside the organization, has the potential to achieve greater cost savings (maybe). Again looking at this in the simplest fashion, it spreads the overhead cost across still more users, with a public cloud perhaps in the thousands or more.

The other added advantage is that those organizations who have recognized that running data centers is not actually their core competency can out-source, currently a politically complex word, data center operations. On the other hand, organizations that do so need to develop a core competency of working with outside providers, which many organizations do not do.

It is interesting also to realize how many organizations want to move to externally provided IT resources because they feel they are too disorganized internally. This hope generally is not realized. There is an old saying that IT cannot organize a disorganized situation. I can promise you that outsourcing IT will not bring management controls to a situation where none currently exist. You first have to organize internally and only then look for outside provisioning. Electric power providers do not untangle the wiring in your house.

This last step, moving from an internally provided centralized IT provisioning process, private cloud, to an externally provisioned process, public cloud, is made still more complicated for Government due to security and privacy issues as well as fear of embarrassment issues; who needs to read in the Washington Post that your personnel system was hacked while sitting on some public provider; I speak from personal experience that testifying on the Hill about security issues is not why most people go into public service.

Having said that the first step, centralized provisioning, achieves a large percentage of the gain, and is worth working toward.

The other challenge associated with saving money is that many organizations do not do such a great job of tracking the costs which they are trying to reduce. Government organizations in particular often have in place rudimentary, or non-existent, cost accounting systems which keep track of all of the overhead associated with doing such work in-house. Thus the cost comparisons relate lower than actual internal costs against actual external costs. It is not a surprise that different organizations produce different conclusions.

I used to joke when I was at the US Department of Transportation that if you wanted to achieve a certain ROI I could help do so with 10 minutes and Excel.

To be continued …

In the Pentagon that joke morphed. Whenever someone wanted to get additional budget, the reason was to ‘Deal With China’. Well, in fact, maybe that is still true.

In technology today, the current budget justification phrase is ‘Cloud Computing’. Except in this case, exactly what Cloud Computing is or what it can do is even less clear than normal. On the other hand, that lack of clarity means there are lots and lots of meetings, seminars, and conferences that deal with trying to define Cloud Computing and provide advice on what to do about it.

In that context, I was on a panel Monday, May 3, that discussed Cloud Computing and the kinds of new skills that would be needed to support Cloud initiatives, http://events.1105govinfo.com/Events/Cloud-Computing-Summit-2010/Sessions/Monday/CC4.aspx.

I had three major themes.

My first theme was that people tended to mean one of a number of radically different concepts under the general topic of Cloud Computing.

Many actually were talking about consolidating multiple applications on a fewer number of servers – virtualization. It was this step that accomplished much of the savings, if there were to be any, from Cloud Computing. In fact, it was certainly possible to do server consolidation and application virtualization without actually implementing anything that actually was ‘in the Cloud’.

Others used the term Cloud Computing to putting applications on the Internet; in the web. This approach is also often described as Service Oriented Architecture, SOA. I am probably not capturing all of the nuances of SOA but to me this basically means taking a program which traditionally was self-contained and isolated and treating it like a service which others could access or integrate into a larger set of combined services. Doing so efficiently requires writing programs a bit differently, adding the ability for a service to be discovered, that is found by others, and adding the capability to expose aspects of the service to others.

SOA in the end requires not just technology change but also cultural change. To be most effective it requires an organization to be much more collegial and standards based in how it designs and develops software.

Finally, some people meant having applications, or aspects of an application such as the platform it runs on, provided externally; that is, through a cloud. The big challenge here is that when using only internal resources it is possible, though in my opinion unwise, to get by without taking the time or applying the necessary rigor to develop service level agreements (SLA’s) for all of the aspects of your system.

You can tell if people are working hard by peering over their shoulders. You can measure performance by users calling and yelling at you, and dynamically reallocate resources by yelling at someone down the hall.

However, when you move a resource out of your internal operation it becomes absolutely critical to develop robust SLA’s to manage your provider’s performance and define your expectations. It turns out that this is very hard to do especially in areas that historically have not been defined in very precise terms such as security or privacy. This is, again in my opinion, one of the major underlying reasons why there is such resistance to moving applications to the cloud.

My second theme is derived from that last point. It was always useful to create business architecture’s to drive technology development. While it might be inefficient, it was historically possible when everything was accomplish internally to ignore that benefit and instead do what was in effect the opposite approach, develop technology solutions that ended up impacting the business.

However if an organization wants to move to the not-well-defined cloud, it becomes necessary to define the business architecture’s and business goals associated with the applications. Without that definition, the likelihood of achieving the promised benefits associated with Cloud Computing are highly unlikely to be achieved.

My third theme was that the major human capital impacts were:

• Technical and operational IT assets were likely over time to move to external service providers and away from user organizations
• The demands on procurement and legal professionals were going to change as their responsibilities became more and more ‘horizontal’ between organizations and their providers of service and less ‘vertical’ supporting internal hierarchical organizations
• The importance of technical staff who also were comfortable with business issues would dramatically increase.

Federal Computer Week, http://fcw.com/Articles/2010/05/04/cloud-computing-implications.aspx, covered the panel.

“Welcome to the first Upstate CIO Conference, where CIOs from Upstate New York will connect, discuss industry trends and emerging technologies, and inform course content for information executives.

The Upstate CIO Conference is a one-day conference, held on Friday, April 16, 2010, at the School of Information Studies (iSchool) on the Syracuse University campus. The conference brings together Upstate CIOs and information technology professors to explore how academic research and professional experience come together to create innovative solutions to industry challenges, create industry trends, and educate professionals who can meet the needs of the 21st century global workplace.”

I was invited to give the keynote for the conference and to serve on a panel focusing on IT Governance. My keynote will discuss my thoughts regarding governance and how it differs between the private and public sectors. I’ll also cover what I call First Principals which are some of the key trends that are underneath some of the current technology trends.

I have included a copy of the slides below. In the interests of full disclosure, I also serve as an adjunct professor at the iSchool teaching graduate distance learning classes related to CIO Management and Cyber-security Policy.

Upstate CIO Conference Slides

The link to the conference site is: http://ischool.syr.edu/newsroom/cio/conference.aspx.

“When I use a word,” Humpty Dumpty said, in a rather scornful tone, “it means just what I choose it to mean – neither more nor less.”
“The question is,” said Alice, “whether you can make words mean so many different things.”
“The question is,” said Humpty Dumpty, “which is to be master – that’s all.”

And thus it is with Cloud Computing. The question on the table is whether we are to be the master of the Cloud Computing concept and what it means to us as practitioners and/or users or whether we will treat it as magic providing whatever value we have need of during that moment in time.

For those of you, who are willing to brave Washington during the Nuclear Security Summit, April 13, I encourage you to drop by a Digital Government Institute sponsored event called “Use Secure Cloud Today to Optimize Customer Experiences”, being held at the Willard Hotel, from 8:30am to 1pm; registration opens at 7:45am.

I was asked to be on a panel at the conference starting at 10:30 entitled Meeting Customer Expectations In the Cloud, Practical Experience”. The panel will be hosted by Chris Dorobek, the ever popular host of the Federal News Radio afternoon show The Daily Debrief, and is scheduled to have:

• Gil Guillen from the Office of Electronic Services at the Social Security Administration;
• Laef Olson, CIO, RightNow Technologies;
• Thom Rubel, Vice President, IDC Government Insights; and
• Joe Thele, Director Air Force Personnel Operations Agency.

Based on the last phone call interaction with the other panelists Chris will lead us through three sub-topics:

• Current status,
• Thoughts on why one should consider ‘doing’ Cloud Computing, and
• Examples of lessons learned and how to deal with the barriers that tend to get in the way when doing so.

It should be fun and informative.

You can get further information at:

http://www.digitalgovernment.com/Events/Conferences/Use-Secure-Cloud-Today-to-Optimize-Customer-Experiences.shtml.

And as an added benefit, you can go out before or after and demonstrate for or against the Summit activities.