Analysis Item 33: Department of Administrative Services Information Technology Procurement Management Program

Transcription

1 Analysis Item 33: Department of Administrative Services Information Technology Procurement Management Program Analyst: Paul Siebert Request: Acknowledge receipt of a report on the status of the information technology procurement management program. Recommendation: Acknowledge receipt of the report. Analysis: SB 5701 (2016) approved a number of budget adjustments related to a multi-part reorganization of the Department of Administrative Services (DAS) and the Oregon State Chief Information Officer (OSCIO) involving the state s information technology (IT) related functions. As part of the IT reorganization, a new structure was proposed for IT procurement and vendor management with dual responsibility between DAS Enterprise Goods and Services and OSCIO. This new structure was reviewed by the Joint Committee on Ways and Means as well as the Joint Legislative Committee on Information Management and Technology (JLCIMT). The JLCIMT recommended approval of the procurement process for the remainder of the biennium with direction that a joint status report on the IT vendor management program be made to the Emergency Board and JLCIMT during the December 2016 Legislative Days. OSCIO reports that its Vendor Management team continues to partner with DAS Procurement Services through a hybrid model where DAS, as required by statute, continues to retain authority over competitive bidding and contract negotiations functions of IT procurement for the state. Due to concerns expressed by the Legislative Fiscal Office of bifurcating IT procurement, vendor management, and oversight between OSCIO and DAS, the agencies were directed to identify and evaluate alternative models for IT procurement used in other states. While this assessment was not completed in time for this report, OSCIO will be reporting the results of this assessment to the JLCIMT during its December 12, 2016 meeting. The Legislative Fiscal Office recommends acknowledging receipt of the report. Legislative Fiscal Office Emergency Board December 2016

2 33 Department of Administrative Services Heath Request: Report on the Office of the State Chief Information Officer s IT Vendor Management initiative. Recommendation: Acknowledge receipt of the report. Discussion: The Office of the State Chief Information Officer (OSCIO) is reporting on its IT Vendor Management strategy in accordance with a request from the Joint Legislative Committee on Information Management and Technology (JLCIMT) in the February 2016 Session to jointly present the assessment report and status report on IT vendor management program progress to the Joint Legislative Committee on Information Management and Technology and the Emergency Board during the December 2016 Legislative Days. Assessment Report: Based on OSCIO s review of the literature and comparison with other states, there does not appear to be a clear industry best practice or standard with regard to where ultimate responsibility for managing information technology procurements should reside. Based on a survey, six states leave this responsibility to their central purchasing office, 29 states have some degree of overlap in responsibilities between central purchasing offices and their chief information officer, and 14 states have the chief information officer as the lead procurement agency for IT procurements. For a survey conducted by the OSCIO, the 13 respondents varied widely in terms of budget, staff, and responsibility dedicated to managing IT procurements. Status Report: In order to implement the Basecamp model of IT Vendor Management, OSCIO has hired three Strategic Sourcing Specialists (at the same time, DAS Procurement has added 4 positions to their IT team). The team has: established a grading criteria and tool for enterprise IT investments, mapped roles and responsibilities in the procurement process, developed performance measures for future IT projects, reached out to state agencies, local governments, and the vendor community, developed a website to promote the Basecamp contracts, linked Basecamp to the state s existing purchasing system (ORPIN), and promoted Basecamp through other channels, including lists and Strategic Technology Officers. The staff for this project were approved as limited duration during the biennium. The Governor s Recommended Budget keeps two positions in OSCIO and four positions in Enterprise Goods and Services Procurement as permanent, full-time positions to manage this new function. As this letter was also addressed to the Joint Legislative Committee on Information Management and Technology, the letter covers a number of other topics that the OSCIO is currently working on, including an update on the implementation of Executive Order 16-13, which unifies the state s cybersecurity under the OSCIO, the status of the Oracle settlement, and progress being made in implementing House Bill 3099, which established separate statutory authority for the Chief Information Officer. Department of Administrative Services 33-i December 14, 2016

3 Kate Brown, Governor Department of Administrative Services DAS Business Services 155 Cottage Street NE Salem, OR PHONE: FAX: The Honorable Senator Peter Courtney, Co-Chair The Honorable Representative Tina Kotek, Co-Chair State Emergency Board 900 Court Street NE H-178 State Capitol Salem, OR RE: The Office of the State CIO s Request to Report to the Joint Legislative Committee on Information Management and Technology (JLCIMT) on the Status of Current Initiatives Dear Co-Chairpersons: The Office of the State CIO (OSCIO) respectfully requests that the JLCIMT acknowledge receipt of a report on the following initiatives: Executive Order (EO 16-13), Unifying Cyber Security in Oregon. Report on status of EO implementation and transfer of information technology (IT) security staffing functions. Oracle Settlement. Provide settlement overview and report on agency use and/or evaluation of products contained under within the unlimited deployment agreement (ULA). IT Vendor Management. Report on implementation status of joint-information technology (IT) strategic sourcing group, and assessment of alternative state IT procurement organizational/operational models in used by other states throughout the nation. HB 3099 Implementation. Report on agency compliance with statewide IT policies, rules and standards; the results of a biannual market analysis of the state data center; and the status of recommended enterprise or shared information systems. Executive Order 16-13, Unifying Cyber Security in Oregon The OSCIO is currently working to implement the transfer of cybersecurity staffing functions into our Office from across the Executive department pursuant to the Governor Kate Brown s Executive Order No (EO 16-13), Unifying Cyber Security in Oregon. Recent IT security breaches, persistent vulnerabilities, non-compliance with IT security-related OARs and statute and the anticipated audit findings from a statewide IT security audit demonstrate that the current decentralized model for IT security needs to improve drastically. In some agencies, there are fundamental capacity gaps and a legacy of disinvestment. More executive support for cybersecurity is needed. More problematic however is the asymmetric nature of IT security risk, where the vulnerabilities of smaller and under-resourced agencies put larger state agencies and local governments at risk; e.g., the breach at the Construction Contractor s Board which made the Oregon Department of Transportation and Multnomah County vulnerable (among others). EO is the first step in addressing these persistent IT security vulnerabilities. It applies to agencies within the Executive department, as defined in ORS but excluding the Secretary of State, State Treasurer, Attorney General, Bureau of Labor and Industries, State Lottery, and public universities. EO requires the OSCIO to conduct the following activities:

4 Page 2 Unify information technology (IT) security functions and personnel within the Executive department and bring them under the direction of our Office; Conduct a statewide agency-by-agency risk-based security assessment and remediation program; Conduct and document the completion of (IT) security awareness training by all state employees; and Establish and track security metrics for all agencies within the Executive department. In furtherance of EO 16-13, our Office has worked with the DAS Chief Human Resource Office and the Department of Justice to develop an Interagency Agreement that will facilitate the transfer of IT security functions and personnel from November 1, 2016 until June 30, Additionally, our Office has initiated a statewide IT security survey, initiated public procurements to obtain thirdparty risk assessments and security awareness training. The IT security survey data and third-party risk assessments will inform the development of an Enterprise Risk Report in the coming months that will be provided both to you, the Governor and Legislative Leadership. Furthermore, our Office is seeking to introduce a legislative concept (LC) that would make the unification of cybersecurity in Oregon permanent and establish a Cybersecurity Center of Excellence (CCoE) through partnerships with the private sector and universities. The CCoE would provide a public-private state-civilian interface for information sharing, coordination of cyber incident response, development of a statewide cyber strategy, identification of best practices and to further the development of the cyber-security workforce in Oregon. The LC would also establish a Cybersecurity Fund within the CCoE, and enable it to accept federal and grant funds and enter into public-private partnerships. The position of our Office is that the State of Oregon should transition from a decentralized and diffused cybersecurity model to a unified model that will bring all IT security functions into a single organization directly accountable for the security of agency and state data center operations, realtime security monitoring and incident response, implementation of enterprise security policy and enterprise security architecture. Furthermore, the establishment of a CCoE, would enable the state to draw on the expertise and capabilities of the private sector and develop a long-term multi-sector cyber strategy for preventing future threats, responding to cyber disruptions and building capacity across the state and with our local government partners and school districts. Oracle Settlement The state of Oregon s settlement with Oracle included both cash and in-kind elements ending protracted litigation that had already cost the state nearly $25 million, providing $10 million in grant funding to support Science, Technology, Engineering and Math (STEM) initiatives within K-12 through the Oregon Community Foundation and providing the State of Oregon a unique opportunity to upgrade many of its business capabilities through a 5-year and 10-month unlimited license agreement (ULA) and customer support services valued at over $65 million. While the ULA certainly provides the Oregon Legislature a way to save a significant portion of the estimated $500 million it would take to modernize Oregon s business capabilities, the decision as to whether or not to implement any of the more than 200 product components available is ultimately a business decision. It is also worth noting that the ULA represents a substantial subset of the Oracle catalog and includes: Customer Relationship Management (CRM) Procurement (Supply Chain Management)

5 Page 3 Asset Management Financials Human Capital Management (HCM) Enterprise Learning Management Business Intelligence Database Data Integration Middleware Security And a variety of Development, Application and Portfolio Tools While the ultimate value of the ULA will be determined by what the state of Oregon is capable of implementing over the next five-years, the ULA represents a major opportunity in terms of cost avoidance. A 10-year modernization plan prepared by KPMG estimated that the state would need to spend between $ million to implement a fraction of the software contained in the ULA. Furthermore, repositioning current in-flight projects to take advantage of the ULA could result in substantial cost avoidance. That said, it will require legislative action to realize the in-kind value of the settlement. Though the ULA represents a major opportunity for the state of Oregon, it will require a substantial investment to realize its value. Beyond new business capabilities, the ULA will enable the state of Oregon to upgrade and enhance its existing Oracle base. Many of the programs and services our citizens rely on were developed on the Oracle platform. The Oregon Legislative Information System (OLIS), Medicaid Management and Information System (MMIS) and the Oregon Election System and Tracking and Reporting System (ORESTAR) are just a few examples of systems that rely on Oracle. Going forward, our first priority will be the identification of opportunities to upgrade our existing Oracle portfolio. This uplift will not only enhance existing capabilities, it will also improve the security posture of the state by moving agencies off of long-unsupported database platforms preventing the type of breach that occurred at the Construction Contractors Board earlier this year. Notwithstanding the potential value of the ULA, the OSCIO is and remains committed to working with agency business leads through the Stage Gate process as they evaluate the appropriateness and feasibility of implementing products contained in the ULA. After agencies have identified their business requirements for a particular IT initiative, they will be required to evaluate products contained in the ULA as part of the alternatives analysis in their detailed business case (as currently required for Stage 2 endorsement) considering benefits, costs, and risk. In addition to a detailed business case, agencies will be required to conduct an Enterprise Fit-Gap analysis that considers products currently available within the enterprise IT portfolio, including the ULA, existing statewide agreements and current systems in production. In conducting the analysis, agencies will be asked to evaluate each of their business requirements and makes one of three determinations: 1. Fulfills with configuration. Products within the enterprise IT portfolio fulfill the business requirement with configuration. 2. Development required. Products within the enterprise IT portfolio fulfill the business requirement with development tools that do not sacrifice the ability to upgrade the system; i.e., still commercial off the shelf (COTS). 3. Customization required. Products within the enterprise IT portfolio fulfill the business requirement but the extent of modifications required would eliminate future upgrade paths.

6 Page 4 As for the being able to access the ULA itself, our Office is currently working with the Department of Justice (DOJ) and DAS Procurement Services to develop an onboarding procedure for agencies to take advantage of the available products. Before agencies can take advantage of the ULA, they will need to work with our office, the DOJ and DAS Procurement Services. As part of the onboarding, each agency will be required to sign the ULA, enter into an interagency agreement with DAS, and commit to conducting periodic inventories as well as certifying the deployment of all Oracle products deployed at the end of the ULA. IT Vendor Management The IT vendor management program was established to develop IT supply chain management capabilities, shared service models, oversight for long-term strategic vendor relationships and to support the Basecamp initiative. Basecamp aims to provide a one-stop shopping portal and IT roadmap for state agencies, local government affiliates and school districts alike, allowing them to quickly identify and efficiently contract trusted IT goods and services. The goal is to ensure our partners are able to focus on what matters most investing in programs that better serve Oregon residents. Basecamp is being built upon a comprehensive and cohesive technology architecture that ensures interoperability, while minimizing cost and disruption to current systems (i.e., a technology reference model) i.e., products that are tried, trusted, verified and secure. Basecamp aims to optimize IT spending and drive enterprise cloud deployment by leveraging statewide purchasing power, reducing IT application and infrastructure complexity and providing a single point reference for legacy, core and leading technology in the state of Oregon. To implement the Basecamp initiative, the vendor management team continues to partner with DAS Procurement Services through what could be characterized as a hybrid model where DAS Procurement Services continues to retain authority over the competitive bidding and contract negotiation side of IT procurement (as required under statute). While there was strong support for the intent of program, it only received conditional, temporary approval for additional limitation and limited duration positions due to concern over the splitting of state IT procurement, vendor management, and oversight between DAS EGS Procurement Services and OSICO (JLCIMT Recommendation to General Government Subcommittee, February 12, 2016). The JLCIMT recommendations further provided the following: The Joint Legislative Committee on Information Management and Technology (JLCIMT) recommends conditional, temporary approval of the request for the remainder of the biennium assuming the funding, spending authority, and personnel resources are made available to the Department of Administrative Services (DAS) and the Office of the State Chief Information Officer (OSCIO) by the Joint Committee on Ways and Means. Specifically, the JLCIMT recommends that DAS and OSCIO: Conduct an assessment to identify and evaluate the alternative State IT procurement related organizational/operating models in use by other states across the nation. The assessment report should provide the raw findings and include (but not be limited to) the roles, responsibilities, accountability, staffing levels, and costs associated with: o The most predominant organizational/operating models in use across the nation as compared to the shared IT vendor management program proposed within this request. o A full transfer of state IT procurement duties, functions, and powers from DAS and the DAS Director to the State Chief Information Officer.

7 Page 5 Submit the assessment report and a status report on IT vendor management program progress to date to the Legislative Fiscal Office in November Jointly present the assessment report and status report on IT vendor management program progress to the Joint Legislative Committee on Information Management and Technology and the Emergency Board during the December 2016 Legislative Days. In response to the JLCIMT recommendation, the OSCIO conducted a national survey of State CIOs and State Procurement Officers. Informed by research on best practices within IT procurement, the survey sought detailed information on the roles, responsibilities, accountability, staffing levels and costs associated with the alternative organizational or operating models throughout the country. The IT assessment report and its findings are still under development and will be submitted to the JLCIMT by November 28, 2016 along with the associated raw findings from the survey. While the survey responses were limited to 13 states, our Office has worked to augment these findings through additional research and document review; e.g., review of similar surveys conducted by the National Association of Procurement Officers and National Association of Chief Information Officers. HB 3099 Implementation As we all know, changing citizen expectations coupled with the failed launch of CoverOregon have increased legislative interest in state IT oversight and service delivery reflected in the passage of HB 3099 (Chapter 807, Oregon Laws 2015) which became fully operative on January 1, Among its many provisions, HB 3099 also directed our Office to conduct several biennial assessments, including: a review of state agencies compliance with the OSCIO s rules, policies and standards; a market analysis of the state data center; and recommendations regarding the establishment of new shared and utility services. Pursuant to ORS (4)(a) our Office will continue to report these findings to the Governor and JLCIMT. OSCIO Statewide IT Survey In support of these reporting requirements, our Office conducted a statewide survey focused on IT asset management with an emphasis on IT infrastructure and IT personnel. These themes were underscored in a memorandum from JCLIMT memorandum, dated February 11, 2016, that specifically identified the following concerns: Apparent or actual agency non-compliance with IT-related statutes, State CIO rules and policies, or stated expectations related to IT Investment Review and Approval and Information Security, and the need for the Office of the State CIO to establish rules, policies, and standards related to IT procurement. (Note: ORS Penalties - is an available remedy) The need to assess and determine how to best reorganize and stabilize the Enterprise Technology Services unit s Service Catalog and associated rates, while incorporating managed services (e.g., the statewide voice services contract) and brokered cloud services (e.g., Infrastructure as a Service - IaaS) offerings into the mix of services that the Office of the State CIO provides to state agencies and other customer organizations. The current distribution/decentralization of responsibility and accountability for information security across the enterprise. Agencies that currently utilize, maintain, support, and who are considering the submission of budget requests to sustain or enhance their own computer rooms (small data centers) at their agency s.

8 Page 6 Unlike previous assessment and benchmarking efforts, such as the 2012 Hackett Group study, the intent of the survey was to capture the current state of IT from the vantage point of a typical agency CIO. In adopting this stance, we hoped to reduce the reporting burden and gain greater insight into the opportunities and challenges faced by the IT organizations within each agency. A high-level overview of statewide IT survey and associated raw findings will be submitted to the JLCIMT by November 28, Additionally, the findings of the survey will continue to inform the development of policy area Information Resource Management (IRM) plans. The policy area IRM plans will build on agency IT strategic plans and proposed project portfolios for and align with the Governors initiatives. The policy-area IRM plans will be presented during the 2017 Legislative Session. Utility and Shared Services With respect to recommendations for shared or utility services, the case of is illustrative of the challenges associated with establishing the capacity to offer a centrally provisioned service under a voluntary adoption model there has been discussion about standardizing onto a single system for more than a decade. At present the state of Oregon currently operates 39 separate s system for 65 agencies and 53,594 separate user accounts, down from the 54 systems that were being operated just a few years ago. In large measure, this reduction was facilitated by the establishment of the Enterprise service offering from ETS, which currently serves 10,235 using Microsoft Exchange. While this represents a substantial reduction in the overall number of systems, the Enterprise system was original scoped to accommodate up to 20,000 users and has operated at a loss since it was established requiring three dedicated positions, professional services, hardware, software and licensing. Given that the cloud-version of Office 365 will soon be available to state agencies, the ETS service offering will likely never reach full capacity. Given this financial reality, our Office is currently evaluating the feasibility and potential timing of a pivot towards a cloud-based service. However, such a transition would have important financial implications. Under the current model, ETS owns its Microsoft licenses in perpetuity and can defer maintenance on hardware and reduce professional services costs; e.g., eliminating Microsoft Premier Support (training and technical assistance). Under a cloud-based subscription model, services become a fixed cost and there is no budgetary flexibility if you don t pay Microsoft you no longer have . Furthermore, absent a coordinated pivot towards cloud-based services, the state of Oregon will end up paying higher prices per user as each agency negotiates individual pricing agreements. Similar to , the challenges associated with centrally provisioning a service can be extended to the state data center (SDC) itself albeit, with far higher fixed costs. Regardless of how many agencies choose to use the SDC, the fixed costs remain the same. With the current rate methodology, many of these fixed costs are embedded within the rates for individual lines of service. Embedded fix costs coupled with an opt-in service model create have created a vicious cycle, wherein the rates of the SDC will never be competitive with similar services that are widely available within the private sector. Consequently, the SDC will increasingly become the service provider of last resort supporting end-of-life legacy systems that cannot obtain services in the private market.

9 Page 7 Furthermore, under the current model service rates are based on utilization estimates that attempt to forecast demand three to four years in advance invariably, underestimating and overestimating the demand for particular services. When the SDC underestimates demand it may end up overcollecting and be required to pay a refund (e.g., the refund to DHS/OHA for network loadbalancing). Contrarily, the SDC may overestimate demand and be forced to absorb the costs. These challenges are further compounded by the inability to utilize existing floor space due to power limitations. In order to limit initial capital outlay, the design of the SDC facility was such that the core mechanical infrastructure (generators, electrical switchgear, cooling infrastructure) of the building was only deployed at 50 percent of its total capability, with the intent to double that capacity to accommodate increasing demand. Absent additional data center capacity, IT infrastructure will either need to remain within existing agency facilities or relocated using thirdparty data center space using brokered agreements underutilizing the capabilities of the state s own purpose built data center. Given our ability to broker these services and maturity of cloud-service offerings, there are increasing opportunities to transition core business functions such as human resources (HR) to software-as-a-service models. However, just as with there are major financial implications in terms of transitioning capital expenses into operating expenses we lose whatever budgetary flexibility we now have and surrender control over our systems of record. Fundamentally, our state s leadership needs to determine the path forward. Do we optimize the existing the capabilities of the state data center or do we simultaneously embrace a pivot towards the cloud while becoming the service provider of last resort. Market Analysis of the State Data Center In fulfilling the biannual requirement to submit a market analysis of the State Data Center, our Office is working with Gartner Consulting and their benchmarking team. The assessment will review the current ETS service portfolio, provide benchmarking against peer states and private infrastructure providers, evaluate the service model in light of industry best practices, evaluate alternative service options and develop recommendations. The data center market analysis and assessment will be submitted to the JLCIMT by November 28, Sincerely, Alex Z. Pettit, Ph.D. Chief Information Officer Cc: Paul Siebert, Legislative Fiscal Office Sean, McSpaden, Legislative Fiscal Office Ken Rocco, Legislative Fiscal Office Patrick Heath, Chief Financial Office