Here in the State of Washington (and I am sure elsewhere) the state and local governments continue to spend on information technology, and wrestle with managing that technology. The Department of Information Services (DIS) and the Information Services Board (ISB) (an entity mandated by the Revised Code of Washington and somewhat under the auspices of DIS) formulate some fairly nice high-level goals and respectable practices.
But still, when you get out there in the field there are things which can make you wonder just how well this pushes out "from Rome to Gaul". Take, as an example, voting systems. I think we can pretty much agree that the Diebold systems have some severe issues, technical as well as general. Yet, there appears to be almost no DIS/ISB oversight.
Since the ISB is mandated by RCW, it is passed into law; and that is a function of the State Legislature. So it makes sense to try to understand what the Legislature's intent is: how committed are they to the very practices they mandated by passing a law? What could be a better litmus test than something as controversial and contentious as voting systems have proven to be?
To this end I determined that the Technology, Energy and Communications (TEC) Committee was the one with oversight, and contacted Rep. Joe Morris, the head of the committee and on 04-May-2005 sent the first e-mail reproduced below. After a month of pissing around and getting no substantive response I sent an e-mail to the entire membership of the TEC Committee and almost immediately received an acknowledgement from Rep. Toby Nixon to which I responded substantively on 02-Jun-2005 (typo: originally had 02-May-2005 -- FWM) in the second e-mail reproduced below.
I point out that the questions posed about voting systems come directly from the DIS's own Risk and Severity Matrices.
I have received absolutely no further communications from anyone on this matter.
Before they pass more laws to deal with a political tar baby, doesn't it make sense for them to review what they've already set in motion and perhaps fine tune it?
Technology management is an important issue. I can hope that a lack of response does not imply a lack of interest or an avoidance of the issue, but just in case at some point down the road the legislature claims they weren't made aware of the issue: here it is for all the world to see.
To: xxxx From: xxxx (Fred Morris) Subject: Fw: legislative intent? Was: ISB Rep. Morris: The following was sent on 08-Apr-2005. I received a followup almost immediately from Ms. Fleckenstein encouraging me to call your office (which I did) and also from Ms. Hettinger indicating that she had forwarded it to a number of senior managers in DIS. As noted, I saw no need to importune during a busy legislative session. But now that the session is over, I would like to speak with you. I know you have a job; so do I. Nonetheless, I feel that the issues alluded to below and the open-ended question stated as the subject of the e-mail are worth the time. -- To: "Fleckenstein, Mary" xxxx From: xxxx (Fred Morris) Subject: legislative intent? Was: ISB Ms. Fleckenstein: Thank you for getting back to me. As a licensed business in Seattle for 20 years practicing in the information technology field and as a citizen of the State of Washington I have two separate albeit intertwined interests; they have reached a certain convergence recently, and now I am attempting to separate them again. I was directed to you by Rep. Dickerson's office; my objective in this approchement is, as a citizen of the State of Washington, to open communication channels with the legislative body which by its authority sets the policy which the ISB then implements, in order to establish the foundations for further dialogue. I welcome comments and observations from DIS/ISB, but my purpose is to establish contact with the legislature. As a consultant I haven't (at least until recently) actively pursued government work and although I have had some on-going business relationships with repeated engagements which have lasted many years, most of my projects have been roughly in the six man/month range (some engagements much shorter, the longest lasting approximately two years). I have always promoted high quality, measurable software engineering practices; in fact, the profound lack of appreciation of such attributes is long-standing and enduring in most of the shops I have seen. So, this has been my niche: getting it right the first time, based on open published standards and measurable results. As a citizen I have long been disappointed in government's interest or understanding of this issue and its impacts, and this spills over into such issues as education, intellectual property and consumer protection as well. As a consultant I decided some months ago to start actively pursuing some larger projects still within my core focus on practices and quality, and government opportunities were a logical direction. As part of this I reviewed virtually all of the documents pertaining to software engineering practices on the DIS/ISB web sites; I refer to this as the State of Washington Department of Information Services Body of Knowledge (SOW/DIS BOK): http://xxxxx/sow-bok-review.html Earlier this week I attended the Westside Vendor Education Seminar in Olympia where my interests converged: I learned a lot about how the government spends money, it was well worth it! I am pursuing my "vendor hat" interests with DIS and elsewhere through other channels, and now I need to take the "citizen hat" track a step further as well. Although the SOW/DIS BOK demonstrates the intent of DIS and the ISB, the record indicates that this hasn't pushed out to the agencies which comprise government very effectively. Many RFPs issued by agencies call out the "agency standard Windows platform" as though there is such a thing. Windows is a brand, not a standard: Microsoft can sell or bundle anything it wants to as Windows. This is akin to saying the "agency standard Ford Taurus" or the "agency standard GM pickup truck", when in fact the real standards accrue to things like brakes on all four wheels, headlights, crash survivability and so forth. If the Ford Taurus only had brakes on one wheel then the agency declaring it a "standard" doesn't make it so. In fact, the real purchase decision is being made on "comfort features" (in the vehicle example this would be things like heating and air conditioning, a radio, and upholstery rather than metal seats). Many RFPs also call out "COTS software (with *mumble* some customization)" ("COTS" means "common off the shelf"). The reason for this I suspect is in the DIS' own risks and severity matrices, which call out COTS as low risk... in spite of literature from the SEI and elsewhere documenting known risks with COTS software. Granted, I have no doubt that general experience with custom development has been no better in government than elsewhere, but I maintain that this is because of a failure to follow good software engineering practices and not in the nature of custom development per se. In government, although perhaps less so than the private sector, there is an increasing focus on narrowly defined and increasingly costly degrees and certifications which may or may not indicate the aptitude to truly grasp the scope of an issue or problem: as someone at a biotech working in a lab producing bioreagents from genetically engineered yeast once remarked to me "a PhD in biology doesn't mean you can bake bread". This leads to an increasingly costly education system with the costs and risks borne by those hoping to obtain employment, and opens the door to various labor abuses as well. As a final example, it should be recognized at this point that the Diebold elections software is poorly engineered; and yet an RFP was recently issued for voter database aggregation software compatible with DIMS, and reiterating many of the brand versus standards issues already mentioned. Yet, while the ISB actively monitors the Washington Liquor Control Board's point of sale systems, it exercises no active oversight over voting systems. Given my recent investigations, I think I understand why: A reasonable person, reviewing known facts concerning this software against the aforementioned risk and severity matrices would conclude that risk and severity were both medium or high (unless perhaps voting was not "mission critical"). However, because the Secretary of State merely certifies elections software rather than purchasing it, it falls within discretionary spending limits and therefore stays "off the radar". Given my understanding of the purpose and authority of GA/DIS/ISB, I don't think that these entities can be held entirely responsible for this state of affairs, which leads me to ask: What, exactly, is the legislature's intent? I am aware that at the moment the legislature is in session, and I have no specific legislation to propose or speak for or against. But once the session ends, I would like to be put in touch with the members of the Technology, Energy and Communications Committee and I am willing to travel anywhere in the State of Washington as necessary to meet with them. Thank you for the contact and your time, and if I don't hear from you by the beginning of May on how to proceed I will contact you again. >[...] -- Fred Morris, Fred Morris Consulting
To: "Nixon, Rep. Toby" xxxx From: xxxxx (Fred Morris) Subject: declarative sentences RE: TEC Legislative Intent WRT: DIS/ISB guidelines Cc: "Morris, Rep. Jeff" xxxx, "Crouse, Rep. Larry" xxxx, "Ericks, Rep. Mark" xxxx, "Haler, Rep. Larry" xxxx, "Hudgins, Rep. Zack" xxxx, "Kilmer, Rep. Derek" xxxx, "Sullivan, Rep. Pat" xxxx, "Sump, Rep. Bob" xxxx, "Takko, Rep. Dean" xxxx, "Wallace, Rep. Deb" xxxx Toby, Thank you for the response. I strongly disagree that something as large as information technology policy for an entity as large as the government of the State of Washington can be encapsulated in a few simple declarative sentences. I will at least try to put it in "inverted pyramid style" and just stick to the central issue(s). Hopefully that way the audience will get the most important parts first and they can tune out as they lose interest, understanding or time to proceed. I am not in the habit of telling people what to do unless I understand the situation and also understand what their intent is. This is also in conformance with the kinds of practices which are evidenced by the body of knowledge which has been created by the Department of Information Services Information Services Board (DIS/ISB). I think I have a pretty good grasp of the situation: the DIS/ISB body of knowledge (I have read more than 24 of the core documents, as well as various supporting documents), the procurement practices of various agencies (as reflected in RFPs), the dynamics of spending (personal communications and knowledge and belief, attendance at the Westside Vendor Education Seminar), anecdotal as well as documented evidence concerning how well DIS/ISB practices have pushed out, generally accepted knowledge developed from lessons learned in the fields of information technology and project management. I do not however have a good grasp of the intent of the legislature. Understanding this intent is my purpose. Clearly the legislature had intent, as it passed the enabling legislation which created the ISB with a mandate to establish standards, policies, procedures; provide direction concerning strategic planning goals and objectives; and so forth. The ISB has done so, as evidenced by its body of knowledge. To what extent does the ISB body of knowledge actually represent the current intent of the legislature? To what extent has the legislature's intent changed since the enabling legislation was passed? Does the current level of success with which DIS/ISB policies have been pushed out conform to legislative intent? Does the legislature agree that it is the sponsor, in the project management sense, of this activity? How does the legislature "close the loop"? For instance the ISB utilizes a discipline called TRENDS to monitor progress of projects such as the Washington State Liquor Control Board Point of Sale system; a similar discipline could be utilized by the the legislature to monitor the process of pushing out standards. How does whatever mechanism which is utilized to close the loop compare to TRENDS? What is the legislature's concept and opinion of standards: What are standards? Where do they come from? Is "Windows" a standard? How important is measurement? What should be measured? When should it be measured? Why should it be measured? Is current legislative intent adequate when considered in light of present challenges? AS AN EXAMPLE ONLY: Did the legislature envision that the implementation of voting systems would take place without active monitoring (comparable to what is affored to the WSLCB POS system) by the ISB? In the opinion of the legislature, is voting and the conduct of elections: * Direct contact with citizens and political subdivisions? * Highly visible to the public, political subdivisions and legislature? * Likely subject to hearings? * Likely to encompass sensitive/confidential data? * Have impact statewide or require the involvement of multiple state agencies? * Mission critical? Does failure: * Represent an inability to meet legislative mandate or agency mission? * Imply a loss of significant federal funding? Compared to the way things are done now: * Is it a significant change to business rules or processes? * Does it involve replacement of the current system? * Does it involve multiple organizations? * Does it involve extensive and substantial job (re-)training? Statewide, across all agencies: * Is the cost over $5 million? * Does the implementation timeline exceed 24 months? * Does it require a second decision package? Is the technology: * Emerging? * Unproven? * Such that two or more of the following new for the impacted agencies: programming language, operating systems, database products, development tools, datacommunications technology? * Utilizing an architecture of a complexity greater than 2 tier? In terms of capability and management: * Is sponsorship visible? * Has a strong ability to mitigate risk been demonstrated? * Do the project staff utilize documented and repeatable processes for tracking status, problems and change? * Are the affected agencies, or any of the vendors, practicing at CMM Level 3 or above? That should do it for now, although I'm sure I could come up with more. Thanks again... -- Fred Morris, Fred Morris Consulting
Fred Morris Consulting, Licensed in Seattle, WA, USA. 1984-2009. Presently in the process of moving to Tacoma.
An Internet Plumber... not a web cowboy