The Commerce Department is going all in with software-as-a-service.
It’s not because SaaS is cheaper. It’s because software-as-a-service is better and faster.
Andre Mendes, the Commerce Department’s chief information officer, said this move to SaaS is all about form and function in serving the mission areas.
“It has been very clear, the realization that some of the cost benefits that you may be getting upfront have been recognized not only by the users, but also by the vendors. The vendors have very much put forth an effort to add additional functionality at additional cost. So from a revenue standpoint, they are not seeing major declines,” Mendes said on Ask the CIO. “Now, I think that in general, that’s a good proposition. What we want is for the IT departments at Department of Commerce, its bureaus and throughout the federal government and the private sector, is stop dealing with commodity stuff and deal with the stuff that really brings value to the table. So is there going to be an enormous amount of savings from migrations to the cloud? Absolutely not. Would in some cases, actually, you have higher expenditures? Yes. But they will come with additional functionality, additional capability that fully justifies what we’re paying for.”
Commerce, like most agencies, not only realize that the cloud isn’t going to provide huge cost savings, but have improved how they measure what those current and future costs will be.
Through initiatives such the Technology Business Management (TBM) framework and now financial operations (FinOps), which is a way for organizations to manage their cloud costs by assigning costs and usage to the entire office.
Mendes said Commerce is in the nascent stages of applying FinOps, but has advanced its use of TBM.
“I can apportion that well over 90% of our IT costs are categorized properly and in the right towers, and that’s a huge change,” he said. “Now, we’ve had a challenge initially in terms of what were IT costs or not IT costs because there was a lot of shadow IT. It’s under the covers IT that was not being classified as such. We’ve made very substantial progress in identifying those, and then cataloging them. Of course, there’s always some difficulty with some of the areas where they could easily fit into different categories, just because of the nature of computing these days, where things are not as clear cut as they used to be. But, by-and-large, that has been addressed. It is helping us in quantifying how much money we’re spending in operations and maintenance (O&M) versus development, modernization and enhancement (DME), and showing the progress and helping us to quantify how the migration into the cloud environments is changing our towers.”
New data from the Office of Management and Budget on the Federal IT Dashboard shows out of Commerce’s $2.84 billion IT budget, the agency is expected to have spent in fiscal 2023 $2.1 billion on O&M, which is about $100 million less than in 2022, and $695 million on DME, which is about $155 million more than in 2022.
“We really narrowed the definitions of what IT, what it meant to buy IT in terms of what you could do with a credit card versus a typical procurement environment. That very much helped,” he said. “With every system, we have an IT checklist that everybody has to go through, and if there’s anything in it that falls within that list, that project then becomes categorized as, at least partially, IT, and there is an accounting of how much of that is true. It has also helped us in terms of bringing into the fold some larger projects that are previously not being considered IT and are now considered IT, and therefore fall under the aegis of our Commerce IT review board and our acquisition review board.”
The Commerce IT review board and the acquisition review board are agency-wide efforts to bring experts together to drive decisions and priorities
“I think that’s between the economies of scale and a lot of the legacy systems that we can obviate in our bureaus, we can actually have a cost model that is very good. Now, understanding that it is not a destination, it is a journey, and that might sound a little bit like a cliché, but here’s the reality, the landscape is never going to continue to stop evolving, the threats will continue to manufacture themselves, the software is inherently flawed in a lot of its implementations and end users will continue to make mistakes, so it’s always going to be an issue,” he said. “But I don’t think that we should throw the baby out with the bathwater with some folks coming to the table and basically saying, ‘we’re going to spend a lot of money on this,’ because in the end, we’re not going to be any better off. As a matter of fact, just by virtue of the mandate, there has been such a focus placed on certain areas of cybersecurity that we are already better off just by virtue of people focusing on some of the issues at hand that have been part of their architecture.”
Commerce has three ongoing zero trust implementations, including software-as-a-service in the cloud with the vendor is running everything.
He said Commerce also is making progress in modernizing and reducing the number of identity credential and access management (ICAM) tools as well as implementing secure access service edge (SASE) capabilities.
“Some requirements will not be fulfilled by one solution. They will require a couple of solutions. What we’re asking them is to look at this particular one, and then see if it needs to be supplemented by another one. But by and large, I think that has been extremely successful,” he said. “For some of the bureaus, it’s a really easy decision. If they were paying for the first two years of an endpoint detection and response (EDR) tool, but now can move to a tried-and-true system that is one of the highest rated in the environment, and it is paid for, you can generate all kinds of savings right off the bat. With certain other bureaus, it’s a much more complicated environment. They have a good working environment that has a lot of interfaces with different systems, some of them legacy systems, some of them new systems and everything in between. So for me to come in and issue a mandate that says, ‘Ye shall use this particular EDR solution,’ is not an easy proposition, and possibly not the best proposition.”