Feds, States Differ on Receptivity to Software as a Service

In regard to SaaS, the Department of Defense is “somewhat skeptical… conceptually,” said Kevin Carroll, until October program executive officer for enterprise information systems in the U.S. Army and now head of a technology consulting firm. “Is it really to save me money,” or just to line SaaS vendors’ pockets, he asked rhetorically. DoD typically buys software licenses upfront, waiting years to upgrade, sometimes not even buying maintenance services, he said. “We have a lot of trouble just getting enterprise agreements pulled together” across the vast, decentralized Defense Department. The agency has bought remote services, and “sometimes it turns out that we got a little nervous” about where defense data were hosted, Carroll said: “Is the People’s Liberation Army seeing this stuff?” He predicted that the federal government would adopt SaaS “in pieces” as it watches states’ experiences.

The General Services Administration needs “a coherent story to tell,” if it hopes to convince the 135 agencies it serves that SaaS is feasible, Chief Technology Officer Fred Schobert said. Agencies prefer to pay for software licenses upfront on their fixed budget cycles, he said. GSA got SaaS off the ground with its hosting center for the Networx contracts for telecom services, Schobert said: “We had to start and get C&A [certification and accreditation] ourselves.” The agency convinced providers that their bids, uploaded directly to GSA’s server, would be protected from rivals’ snooping, Schobert said. It’s doing the first C&A for its Networx hosting center since 2005. Officials pushing SaaS to management should take a “system engineering approach,” explaining how it will reduce agency risk, he said. “Nobody wants to develop software from scratch.”

SaaS is a “linchpin of our strategy moving forward,” said Aneesh Chopra, Virginia secretary of technology. “I actually don’t sweat much about license fees” but about software development’s high cost, which he pegged at 90 percent of any technology project. For example, vendors aren’t offering software to help validate immigration status, a headache for many states, Chopra said. Virginia is a founding member of AppExchange, a new service by Salesforce.com, among the earliest SaaS providers, in which states share and build on one another’s software for similar policy issues. Researching for First Lady Anne Holton, a champion of long-term foster care, Chopra learned Michigan had developed non-SaaS software to improve foster placement. “Man, what a nightmare,” Chopra said. The software couldn’t be adapted to run on state IT systems.

The core development problem is translating strategy into code, Chopra said. The goal is to “minimize the distance between brain power at the agency head level and then turn it on” in the IT department, he said. Virginia’s contribution to AppExchange is a streamlined application form for startup businesses. The form automatically will supply their information across several required government forms, Chopra said. The state is working with 25 others on so- called OneStop programs. The typical software development cycle is three years and involves a mountain of proprietary code, but a “platform relationship” should cut development to three months, he said. When a state wants to modify another’s software, “an idea I have Monday can show up Thursday.” -- Greg Piper

SaaS/Gov Notebook…

The Federal Information Security Management Act needs only one change, in the view of the Office of Management and Budget, Administrator Karen Evans said at the conference: “Systems” should be replaced by “services.” “What we're really trying to pull away from now is ‘what is a technology’… What I'm really concerned about is the outcome,” Evans said. The entire government is moving toward service-oriented architectures, led by the Defense Department’s Global Information Grid and concept of net- centric warfare, because agencies can “reuse the service” and deploy it faster, she said. The OMB is working to educate agencies that there’s nothing in federal guidelines stopping them from using SaaS platforms. But it’s also working with the National Institute of Standards and Technology to make sure that none of its guidance gives the wrong impression. Using SaaS platforms doesn’t mean agencies can skimp on security, she warned. The Federal CIO Council, which Evans leads, is also pressing agencies to “deposit” their certified and accredited software with the council for other agencies to use. In the past few weeks, the OMB has been advising agencies to avoid “brand-specific” procurements and advertise what platforms they're running to help vendors reply, Evans said. Asked how the feds could emulate the states’ AppExchange project, Evans said agencies need to write vendor contracts so it’s clear that the government owns the intellectual property and can share it at will. While at the Justice Department, Evans said she got into tussles with contractors that tried to resell code developed specifically for Justice, “so I started giving the code away [to other agencies], which did not make a few contractors very happy.” She told agency peers not to read too much into OMB guidance: Some had interpreted its desktop configuration standards (WID June 27 p4) as a mandate to install Vista. “You really have to look at the whole thing” by total cost of ownership, whether it’s open source or “shrinkwrap” software used for a project, Evans said. Asked how SaaS vendors could get around agencies’ demand for software that fits reliable budget cycles, Evans said they should emphasize “flexible” contracts with both regular usage and “capacity surge” provisions. That’s how the contract for the GovBenefits.gov site is written, since OMB doesn’t want to pay for “unused capacity” when site traffic is low, she said. “You lose total credibility” if the server goes down after the president makes a major announcement, though. Evans didn’t have much advice for a questioner who said agencies were requiring his company to go through C&A after initial approval by another agency, an expensive process. “Most agencies watch the VA situation and they don’t want to be there,” she said. Evans was shocked by a questioner who said a new part of the desktop configuration rules bars certification for some Internet-connected applications, a blow to any SaaS provider. She promised to look into his claim. -- GP

----

SaaS is merely a “tool” appropriate for some situations and not others, regardless of how secure the technology can be made, said Steve Saboe, who heads the Nonproliferation and Disarmament Fund at the State Department. State is working with North Korea on dismantling its nuclear program, work requiring unpleasant information-technology choices, he said. “These are not trusted people, but these are people you want to have, so to speak, on your network.” Saboe’s unit had a two-week window to develop software on an SaaS platform to disable Libya’s nuclear program after that country announced it was giving up its weapons. “Three years from now is not an option,” Saboe said. But State will never drop its Microsoft and SAP set-ups, so SaaS must fit atop them, Saboe said. Most panelists said “multitenant” SaaS deployments -- hosting data from multiple customers in the same place -- raise no security issues. Salesforce.com has customers with unique regulatory requirements on a colocated platform, including Morgan Stanley, Sprint Nextel and Sun Microsystems, said Jay Tansing, public sector managing director for Acumen, a Salesforce partner. “Everybody is getting more comfortable with it” as security goes up, he said. But Saboe called questions of security “literally irrelevant,” like worrying about a car’s fuel injection system or putting money in a bank with other people. “This type of argument demeans everybody.” He said he recently talked with FAA staffers who called even the most secure SaaS a terrible idea for air traffic control. Rezaur Rahman, Web services manager for the Advisory Council on Historic Preservation, said SaaS worked well for managing contacts from Outlook mail servers without actually removing the mail client from user computers. Asked if IT departments feel threatened by SaaS, Salesforce Public Sector Vice President Kaveh Vessali said there’s a “need for continued education.” SaaS frees IT departments from simply “keeping the lights on” and lets them work more closely with end users, he said. “Our IT department was completely against it… and people are still debating it now that we're implementing it” after a year of discussions, Rahman said.