Michael T. Callihan
Transparency Need Not Lead To Risk Aversion
In today’s complex IT environment, new technologies come at us from a seemingly ever-growing number of vectors: mobile, IoT, biometrics, cyber defense, and so on. Programs – and the agency management team – must answer to FITARA, TBM, and the GSA Scorecard as well as the scrutiny from the Hill and media. There are more stakeholders – more sets of eyes – on every program than ever before. If the emperor has no clothes, everyone will know it. That suggests this immense oversight of government programs leads to managers being risk averse and hesitant to try new processes or emerging technologies. Transparency versus opacity: each side has consequences. Human nature may lead us to prefer keeping details under cover for the sake of control, while decision makers demand full disclosure. Yet, this may be a false choice. There is another path to take.
Traditionally, one path to transparency has been through independent verification and validation (IV&V). The role of IV&V is to bring to bear an unbiased third party to advocate for the program, ensure requirements are being met, regulations and policies followed, and best practices applied. Programs are often complex demanding a multitude of decisions. And let’s face it, too often some agencies lack sufficient in-house technical capacity to evaluate the work of the program effectively. As a matter of fact, “Lack of capacity” shows up as one of the GAO’s top indicators of a program that’s challenged and perhaps trending toward failure. It can manifest in several ways from the procurement level through the C-level offices executing the program. Wouldn’t it be nice to have an honest broker helping to fill that capacity?
The Nuclear Regulatory Commission (NRC) offers a terrific model where an agency – with enormously complex and sensitive programs – can both transform from a traditional waterfall development approach to agile while adhering to the transparency of IV&V. NRC (a 20 year client of AEGIS) constantly ensures its programs operate with the transparency necessary for the best possible decision making, keeping those programs and their national security implications out of the news, and achieving their intended milestones.
Today, there is a sense that DevSecOps and agile obviate the need for independent reviews and – gasp! – oversight. Perhaps in a perfect world, that would be true. Federal agencies would have perfect user community insights and requirements, unlimited resources, and sufficient time to test, refine, and secure systems. Compliance, oversight, and FITARA reporting would all be green lights. However, more and more agency leaders are being pushed to deliver complex systems with inadequate requirements, limited skills, and accelerated contracting timelines, many of which are based upon responses to underfunded or unplanned mandates. Senior agency executives face serious challenges and risks under FITARA for unfunded or unplanned requirements while managing cost, scope, and value.
So let’s set aside the term “IV&V” in favor of focusing on the activities it represents. There is broad agreement that IT is complex, security is key, and testing helps and achieves better outcomes. At AEGIS we developed an initiative that provides unique services, tools, and expertise for independent project control oversight. We call it Critical Application Security and Testing (CAST). Our goal is to deliver insights, early-warning indicators, and custom dashboards in parallel with program contractors and resources.
The goal is to replace risk aversion with a proper focus on the key elements of success: transparency so decision makers are properly informed, independent eyes to surface issues as early as possible when they are least expensive and easiest to fix, manage risks, and enable programs to overcome hurdles along the way. After all, IT is a race, but not a sprint – it is a series of hurdles.