Technology at the Speed of Government

Information Technology in itself is pretty complex. IT at the hands of government can be downright nasty. Check out Reason Mag for more:

The new IG report is a review of progress on the data hub that handles the transfer of personal information between multiple federal agencies—information needed to complete enrollment applications within the exchanges. In other words, it’s sensitive stuff, and security is paramount. The IG’s report, completed in May and released last week, didn’t attempt to judge the data hub’s functionality. Instead, it attempted to judge the security of the information being moved through the system.

But documents outlining the hub’s security protocols weren’t finished on time, and those the IG could see weren’t finished. “Because the documents were still drafts,” the report says, “we could not identify CMS’s [Center for Medicare and Medicaid Service’s] efforts to identify security controls and system risks for the Hub and implement safeguards and controls to mitigate identified risks.” Security testing is behind too: Practice runs designed to detect problems that were initially set to begin last month were delayed, and didn’t begin until this week. The report also notes that the official go-ahead on the hub’s security features won’t be given until September 30—a very, very last-minute deadline bumped back from an already cutting-it-close previous deadline of September 4.

In my world, handing a requirements document out a couple weeks before things go live is called failure.  Obviously, there are interim requirements, and probably gads of testing that’s already ongoing.  I don’t expect Reason to be on top of how IT process flows.  But it’s still a bit disturbing that we’re defining a broad swath of technology that will impact every American’s life, and we’re doing it on the fly.

If I had to guess, the base timeline was written into the law, and then everyone just got told to conform to the dates.  That doesn’t let the real implementation people off the hook… you need to have a timeline and a deadline and build to that.

But another real technology problem here is what I refer to as, “right to left scheduling.”  You don’t start your timeline on the right-hand side and then just drop milestones into the plan.  You decide all the things that need to fit together, and then you look at dependencies, and then you build the schedule and see what’s broken.  In this case, it looks like what’s broken is the security of one of the most complex IT deployments in the world.