As an information security consultant who works (for now anyway; my ultimate goal is to freelance) for a Fortune 500 firm, a large percentage of my clients are federal government agencies, many of them "defense" organizations (which tells you that I have a huge reservoir of material for future posts). In the course of my attempts to satisfy the terms of my contract with the customer, I am required to deal with an organization that is responsible for hosting Deparment of Defense (DoD) information systems. This organization charges the various DoD organizations, consisting of the military services, organizations and commands within those services, or executive-level agencies within the Department, a sliding scale of fees for hosting and maintaining these organizations' information systems. These fees vary according to a variety of factors, such as the size of the information system being hosted, or, as is the case with many customers, the number of systems being hosted; data traffic volume processed by the systems, level of maintenance and operations support required, and the types or frequency of "non-standard" services needed. A standard Service-Level Agreement (SLA) is drawn up between the organization within the Defense Information Systems Agency (DISA), that is responsible for hosting DoD information systems, and the customer organization for whom they are providing service, an agreement that contains specific terms of service, rates charged for the services rendered, the frequency with which charges are applied, specific customer and DISA responsibilities, and other factors affecting the provision of service. In other words, these hosting centers operate, at least theoretically, like a web hosting service or data service center in the commercial private sector. But appearances are deceiving.
The major differences between the DISA hosting organization and its private-sector counterparts are sufficient to render any resemblance by the former to the latter purely coincidental and superficial. For starters, the DISA hosting centers are staffed by career civil servants and contractors hired by the DoD to handle certain specialized technical tasks. As is the case with all civil servants, those staffing the DISA hosting facility cannot be terminated if they fail to abide by the terms of the SLA concluded with their customers. Nor can the contractors working for them be terminated for failure to satisfy the customer, they having been awarded the hosting center support work through contracts not tied to customer satisfaction. Therefore, while these contractors work hard at keeping their civil servant bosses satisfied, they have no direct incentive to assist actual costumers of the hosting center.
Second, the DISA hosting centers (there are at least two dozen scattered throughout the continental United States and over a dozen others at U.S. military installations overseas) are woefully understaffed and underequipped, even as they charge their customers fees-for-services that ostensibly fund them to sufficiently provide the level of service for which the customers are paying. The problem is that the money that these DoD organizations pay to these DISA hosting centers is simply money allocated to these customer organizations out of the overall DoD budget and, once paid to the DISA hosting center, goes right back into the DISA's general budget. The fees paid do not necessarily go toward funding the immediate operational need of the customer agency that paid them. Can you imagine a private-sector commercial data center taking money from a customer to host an information system, but rather than using this money to purchase and install the customer's equipment or to hire system administrators to provide the customer's system with 24/7 support, the data center spends this money on another customer or puts the money directly into the center's operating capital account? Needless to say, the ownership of that data center would be in court in a heartbeat, possibly even subject to criminal charges of theft or misappropriation.
But not the DISA. Like all bureaucracies of its kind, the DISA is not bound by the laws or ethics that bind the private sector. As a result, DoD organizations are paying money --often an obscenely LARGE AMOUNT of stolen taxpayer money-- for services they are not receiving. This has the effect of negatively impacting the customer organizations, causing them to waste even more tax money than they otherwise already would under normal operating conditions by having to postpone or otherwise work around delays and outages caused by the inability of the DISA hosting centers to fulfill their contractual obligations. Because these DISA centers are accountable not to their paying customers, but to a remote bureaucracy that controls their budgets independent of their customers' satisfaction, they do not suffer the automatic negative feedback that the market would provide. Since all DoD organizations are required by policy to host their systems within a DISA hosting facility unless they justify an exception for operational reasons, there is no market pressure on these DISA hosting centers to shape up their act and start providing the services for which their customers have paid. Customers cannot cancel contracts or sue for breach of contract when their mission needs are not met, because there is no market incentive for this bureaucracy to do so.
In the last six months I have sat through innumerable meetings and conferences with senior representatives of this hosting agency in which its operations manager has essentially said "We don't do what you're asking us to do, even if what you are demanding is a term of service contained in your SLA." If this individual worked for a private data services center, she would most likely be fired on the spot for making such a remark and her employer would quickly find themselves in civil court for fraud and breach of contract. But since this individual is a government "employee", she can get away with such statements with impunity, because she and her organization do not face penalties for non-performance. Worse still, while my client expects me to prepare documentation for the Program Office detailing certain aspects of system operations security, I am unable to do this without input from the DISA hosting center because it is they, not I or my client, who control the system in its operational environment. For this reason I am required to obtain certain artifacts from them that will enable me to document the seamless integration of my client's system with their hosting facility, producing an artifact that they require as well as my client. Yet they consistently refuse to "play ball", even though they are contractually obligated to provide this information to all of the customer organizations that they host. Once again, if this were a private data hosting center, they would be in front of a civil couirt judge facing a breach of contract suit. The list of their transgressions goes on and on, but I think the reader gets the idea.
The amount of money that DISA's hosting center charges my client to host their system is simply grotesque (hint: it's in the low seven figures for annual service for just one system), especially when one of my colleagues whose brother manages a private data center tells me that any private sector data center can host the same system, with full 24/7 administration and service support, for less than a tenth of what it costs the government to do it in-house without being able to even provide the services they promise. Of course the government's excuse for not pursuing this course of action is that its information systems process "sensitive" or "classified" data that requires extra degrees of protection. No problem. Just put out a request for proposals inviting all data hosting centers in the United States to compete for DoD business, with the caveat that at least some of their employees must obtain appropriate DoD security clearances, that they must reserve a portion of their facilities (or construct new facilities) that must meet certain DoD standards set forth in the National Industrial Security Program Operating Manual (NISPOM) before they can host any DoD systems, and that their facilities must be subject to period DoD inspection (at least those portions hosting DoD systems). Problem solved, and at a tiny fraction of the cost incurred by the government's inefficient in-house resources, even with the adaptations required by the private hosting facility to meet the DoD's needs. Granted, my readers know that I'd like to see the DoD eliminated altogether, but until we obtain that distant lofty goal, this is a step in the right direction.
For all of the caterwauling about "customer service", "saving the taxpayers money", "total quality service", and "being responsive to customer needs", it is quite obvious that it's business as usual for the governmment and its labyrinth of bureaucracies: that is, money is wasted nothing of substance is accomplished. The moral of this tale is clear: If you want customer service for your computing needs, go to BestBuy. Otherwise, be prepared to get robbed and lied to.