RE: OPM Data Breach - Whitehouse Petition - Help Wanted

["Naslund, Steve" <SNaslund () medline com>]

Here is their 2013 budget https://www.opm.gov/about-us/budget-performance/budgets/2013-budget.pdf

Glancing through it they had a 2.1B total appropriation with 90.5M dedicated to salaries and expenses where IT would 
fall. It appears that their CIO also has a multi-year fund around 70M separately allocated to systems modernization.  
One telling issue is that the budget talks about their priorities and within all of their goals around ensuring 
diversity, treating their employees well, providing good customer service, etc; there is not one mention of IT security.

It is just about setting priorities. 

I would bet you that there are plenty of IDP contracts out there that they could ride on.  This saves them from the 
entire RFP and evaluation process by simply stating that their needs are equivalent and a usable contract is already in 
place.  Often in government contracts, support for a fixed period of time is rolled into the purchase price.  This is 
done because the government often cannot commit dollars in forward years.  So, when you buy your IDP device you pay for 
five years of support because you know you have the money this year but do not have next year's appropriation yet.  
Most government contracts have very sweet support and maintenance options because vendors often differentiate 
themselves that way without laying down on the up front price and hurting cash flow.  They can bury the hidden costs of 
supporting the devices and just claim a huge number for sales in their current quarter.

Here is the best analogy I have ever heard about how government contracting really works :

***Paint is peeling on your house.  You use your own authority to buy a can of paint and touch it up with no other 
approval (your O&M budget)

***You let the peeling paint slide too long and now you need to replace all of your siding.  You got to your wife and 
she tells you to wait until next spring when you have the money in the budget (department level O&M money)

***You let the peeling paint slide WAY too long and now you need to rip out entire walls and while we are at it we 
might as well put in an addition.  You got to the bank to get a home improvement loan (congressional line item 
budgeting).  This is where they have let their systems get too.


Agency heads like to shift blame by going to congress and saying I can't do this because I need a huge appropriation to 
even start.  The correct question from congress is to ask that agency head why they did not ask for an IT budget that 
included enough money to support and maintain a secure infrastructure.  They should also ask, what small steps have you 
taken so far within your own IT budget to address security concerns.  For example,  do you routinely replace desktops 
over a certain age, is your malware protection software in place and up to date, is your firewall on the latest code 
release?  If you ran a company would you not fire an IT director that came to you and said "we need to replace all of 
our network, servers, and PCs because they are all obsolete NOW...TODAY?  Wouldn't you wonder what he had been doing 
with the O&M budget you give to him every year? 

The truth of this is that most agency heads do not care about IT security, they just do not.  The only exception might 
be DoD because they are well aware that they have enemies that are looking to take them out and it is their primary 
responsibility to fight enemies.  Most other agencies don't have the mindset of having a adversary looking at them and 
don't care because they don't get hurt, the citizen who's data is lost takes the hit.  It might not change things 
immediately to fire the head of this agency but it does let other agency heads know that if you ignore IT you could 
lose your job.

Steven Naslund
Chicago IL


> > On Fri, Jun 19, 2015 at 12:12 PM, Naslund, Steve <SNaslund () medline com> wrote:
> > There is an O&M budget created for the day to day operation and maintenance of IT systems.  This is approved along 
> > with your department's budget annually.  If you classify updating equipment as an O&M function (which it routinely 
> > > > is) then you have no issues.  You purchase your equipment off pre-existing purchasing agreements in place with 
> > your agency or the GSA.  If your purchases exceeds certain threshold or the amount available under your O&M funding, 
> > > > then you need to go out and negotiate a project and contract it out.  Trust me I know how this works, I was also a 
> > contracting inspector for communications systems during my time with the US Air Force.
> >
> > I'm fairly certain that new IDS purchases, for an org as large as OPM, which would also include project-term Support 
> > contracts, isn't going to fit into any pre-approved O&M day to day budget... other than maybe an AF budget :-)

> > -Jim P.