If you have been at a recent Washington Capitals hockey game when the opponent scores a goal, you know the crowd routinely shouts out “Who cares!”

Last week, Steven VanRoekel, Federal CIO, released the long awaited OMB plan for the Federal Risk and Authorization Management Program, or FedRAMP; which reminds me to be thankful for pronounceable acronyms. The purpose of FedRAMP per the implementing OMB memorandum, is to “provide a cost-effective, risk-based approach for the adoption and use of cloud services”.

So were I a federal CIO, which I was, or an executive working for a provider to the Federal Government, which I am, what are the short- and long-term implications?

First, and most important, I think there are short- and long-term implications, which is not always the case with long awaited announcements and OMB produced memoranda.

However, I suggest the longer term implications tie more to the general topic of infrastructure rationalization than focusing specifically on the ever popular and impossible to avoid ongoing cloud frenzy.

It has long been my contention that while the IT focus in commercial organizations should be top-down to be most effective, in federal government it is the opposite: better off focused on a bottoms-up approach.

This difference reflects how funding, or revenue, is achieved.

In a commercial company revenue comes in from customers, is filtered through a sales organization and the decisions are controlled by executive leadership. IT leadership focuses on using the defined strategic goals to drive derived IT goals down into the rest of the organization.

In a government entity, funding comes through the appropriations process, and except in very rare circumstances, such as the Veterans Administration, is associated with the individual components that make up larger agencies or department, rather than with the overall mission of the department.

The real value of initial cloud implementations is they represent the next big step in allowing federal CIOs to get a handle on what IT provisioning is going on within the organizations.”

Because of this, the first hurdle for government CIOs is overall situation awareness; discovering what IT assets exist and figuring out how to put in place configuration management to keep track of those IT assets.

To just take one example, when OMB started pushing to consolidate data centers, it took months or longer to get an accurate inventory of how many data centers there were, let alone put together a plan to consolidate them.

Reducing costs is a reasonable goal to associate with cloud computing. Be warned that recent articles question whether cost savings will be large as some are articulating. See, for example, the discussion I participated in this last Friday on the Federal News Radio Countdown, hosted by Francis Rose.

The real value of initial cloud implementations is that they represent the next big step in allowing federal CIOs to get a handle on what IT provisioning is going on within the organizations. Every application that is moved to the cloud is one that now is visible to and can be managed and measured by the CIO. Consistent security approaches can be taken. And it is the inconsistencies, not whether an application is internally hosted or externally hosted, that lead to security weaknesses.

There are a few additional specifics from the OMB memorandum that I wanted to note.

First, the process still has some time before it will be put into place. The goal is to have the FedRAMP PMO, to be run by GSA, operational no later than 180 days from issuance. This follows interim steps including establishing formally the list of security controls, creating a Concept of Operations, and creating a charter for the Joint Authorization Board (run by DoD, DHS, and GSA) dealing with governance.

Second, it will interesting to see how robustly the effort will be funded over the next few years. Congress has not been consistently supportive of shared service implementations. From my stint at DOT, I remember the difficulties that OMB had keeping the various eGovernment initiatives sufficiently funded.

While outside the scope of this write-up, I contend that one reason that DoD continues to make progress in this area is because of the existence of a home, what I refer to as a “center of gravity”, for managing the resulting shared infrastructure, namely DISA. While I have nothing but the greatest admiration for Richard Spires and Casey Coleman, running shared services is not currently the primary mission of either DHS or GSA respectively.

Third, I found it interesting that both the CIO and the chief financial officer need to certify together the list of all cloud services that cannot meet FedRAMP security authorization requirements within their agency. The dividing line between what is expected from CIO’s and CFOs regarding program management is not always clear cut, and is made even less clear when the CIO has been folded underneath the CFO.

In April, 2009, I asked the question “Why are 42 or so different procurements now looking at clouds?” I was quoted as saying that I thought that instead cloud computing could be offered in a way … in which any federal agency can access a handful of major … contracts.”

And now a little over 2 ½ years later, we are only six months away from saying “You can.”

Daniel Mintz is chief operating officer of Powertek Corp. He served as CIO of the Department of Transportation from 2006-2009.

I was on January 15^th, you can listen to the entire show that week at http://www.wfed.com/index.php?nid=17&sid=1865007.

In this post, I wanted to briefly touch on the second of the two articles I discussed, DISA expands access to ProjectForge cloud environment, http://gcn.com/articles/2010/01/13/disa-projectforge-collaboration.aspx.

The article illustrates the greater comfort level that Government has with using open-source software produced by non-Governmental organizations. While not explicitly mentioned, this increased involvement is leading to open-source development going the other direction; being produced by Government and then placed into the greater community.

Just to make sure that everyone is on the same page, I should explain a few terms.

DISA, which stands for Defense Information Systems Agency, provides an increasingly large part of the Information Technology infrastructure for the Department of Defense; http://www.disa.mil/.

As I have mentioned in a number of venues before, I believe there needs to be a Civilian version of DISA to serve a similar purpose. The most logical candidate to me for this is GSA, though historically GSA has done a better job of managing contracts than managing the implementation of contracts. Regardless, as the Government increasingly understands the value of centralizing the provisioning of infrastructure, allowing the Program staff to focus on their program mission, DISA has increased its responsibilities; not without growing pains but that is a different blog entry.

The article talks about DISA expanding its ProjectForge effort associated with Cloud Computing, this effort is part of its forge.mil program. The word ‘forge’ comes from the original efforts to develop Open-source software.

Open-source software typically is created by crowd sourcing, which is with the participation of many contributors often in a fairly loosely coupled fashion. The process and the resulting source code is presented transparently. Companies typically make money around open-source efforts by selling training, consulting, and/or support contracts of one sort or another.  For more details, see http://opensource.org/.

There has been a continuing argument within Government over the proper place for open-source software. Some people are uncomfortable with the thought that the software has no single creator or owner.  Open-source advocates would argue that the gains achieved by making the source code completely visible are significant. Security experts tell me that security that is premised largely on secrecy ultimately fails. In the same way, the power of exposure, at least in theory, reduces the possibility of bugs and/or trapdoors which cause security vulnerabilities in a software application.

Fundamentally this discussion represents the much broader issue of the real-world value or power of crowd sourcing versus classical hierarchically produced results. I plan to talk more about this in later blog entries a bit more.

Returning to the article I presented, it is clear that the argument over Government use of open-source is being largely decided in favor of use. Here we have one of the largest providers of IT in the Federal Government with an active open-source effort both in concept and execution within the Federal Government.

The article also illustrates one of the under-reported stories; that of Government produced open-source software. It is increasingly common that the Government makes use of privately produced open-source software. But there are an increasing number of situations where the Government is creating open-source software and either making it available to a larger community for usage or even setting up relationships with non-Governmental organizations to manage the resulting open-source community.