Think before you speak. Plan before you act. These are just two of the tried-and-true principles we are taught in our formative years to help us lead a better quality life and avoid some of the pitfalls associated with poor planning and impulsive action that, when combined, often lead to disastrous outcomes. These same principles apply when we think about military systems and the science of warcraft.
Aircraft, ship, and submarine operations require a thorough and disciplined approach to planning and mission execution. These platforms are systems (really, systems-of-systems) in their own right, and they rely on proven methodologies to project overwhelming and irresistible warfighting capability, or as we’ve come to term it: “shock and awe.”
Continuous monitoring of these strategic and tactical capabilities (it’s not just a Computer Network Defense strategy anymore) frequently highlights “in-flight corrections” that need to be made to reach the final destination or mission objective. Information technology has now become no less a critical infrastructure and mission-critical system or system-of-systems requiring the same level of due care and due diligence in planning and execution; information and its related technology is the primary underpinning enabler for almost every other warfighting capability.
How then, do we continuously monitor systems of IT services, capabilities, and their underlying processes to make the necessary course corrections when these systems may have differing mission objectives, are controlled and operated by disparate and non-linear entities and probably have differing ideas about what should be measured? Moreover, what benchmarks can we use that tell us we’ve achieved an IT objective or outcome that supports the mission?
In this information age, with the emergence of extremely powerful hardware, highly versatile and responsive software, and gigabit network speeds, data is transformed into information-on-demand and is often throttled only by our browser’s refresh rate. The complexity of IT services is increasingly beyond our ability to adequately support and manage the delivery of those services using existing parochial toolsets that are product-based along with their associated single-threaded measurement methodologies.
Luckily, IT Service Management (ITSM) has come of age, providing the tried-and-true means for monitoring and managing a litany of services, their processes, activities, tasks, interface seams, roles, responsibilities, skill requirements and information work products. See Figure 1 for an illustration of the components of ITSM.
ITSM is an umbrella term coined by industry denoting the myriad of frameworks, international standards and industry best practice available to an IT organization for the governance, management and oversight of their information and related technologies. At its heart, ITSM focuses on governance and management of the people, processes and products, as well as the technologies within IT that are aligned with business/mission requirements to drive value to the customer.
Arguably the most famous of these ITSM frameworks is the Information Technology Infrastructure Library (ITIL). ITIL version 3, updated in 2011, defines service as "...a means of delivering value to customers by facilitating outcomes customers want to achieve without the ownership of specific costs and risks."
ITIL further defines Service Management as, "...a set of specialized organizational capabilities for providing value to customers in the form of services."
Enterprise email is a classic example of a service. For example, we don’t want to operate and manage the set of servers, routers, switches, DNS crawlers, cabling and software that make up the email path from writer-to-reader. We just want to click on the email client and read email. Then we want to easily reply or forward it to our colleagues, and then turn our attention to other matters.
So we contract with an email service provider who takes care of the entire behind-the-scenes infrastructure and processes that enable reliable delivery to our inbox. We pay a competitive market rate for the agreed-upon value we contract to receive (the service), not bothered by the aggregated costs of provisioning and technical acumen required for the service — all of which is borne by the service provider.
The service itself is supported by any number of IT processes (availability, capacity, information security, etc.) that are themselves enabled by activities necessary to produce defined process outcomes. Each activity is in turn enabled by specific tasks encapsulated within the activity, and those tasks are performed according to defined procedures, be they standard operating procedures, tactics, techniques and procedures, work instructions or other documented how-to guides. ITIL currently defines 26 IT processes and four functions.
Given that, by and large, the Defense Department doesn’t exist to produce products (widgets) but instead consumes products and services and then packages them into warfighting capabilities; we can correctly assume that DoD is, at its core, a service provider. This aperture reduction requires an emphasis shift for using ITSM for the management of products to that of service — and ultimately service delivery. For our purposes, the product is the service itself. The difference is usually couched in terms of tangibility (i.e., products are tangible… service is not).
Remembering our enterprise email service example, it is an intangible product, but a product nonetheless in that we can select and order it by Contract Line Item Number (CLIN) from the Next Generation Enterprise Network (NGEN) service catalog and use it for the duration of our license, under warranty. The product of our service includes the use of the technology, the skill and competency of the people to keep the service available to us, the various processes, activities, tasks and procedures involved in delivering the service to our desktop, as well as the management and governance of the enterprise capability created and sustained as a multifaceted channel for service (product) delivery.
The need for ITSM is more immediate than ever before, evidenced by the unrelenting and downright dizzying advances in the technology and capability of enterprise IT. The conundrum we face is that with austere budgets juxtaposed against ever-increasing complexity, how do we govern and manage an enterprise to foster convergence, integrate and align mission requirements, optimize value and (lest we forget…) increase efficiency and effectiveness?
The Deputy Chief of Naval Operations for Information Dominance ( OPNAV N2/N6) spoke to this issue in NAVADMIN 339/11 by stating in part, “Effective governance is critical in this environment of declining resources.”
The message went on to highlight the creation of the Navy Enterprise Information Technology Governance Board (NEIGB) which had been established a few months earlier and was chartered to govern Navy Enterprise IT.
The Department of the Navy Chief Information Officer (DON CIO) memo of June 11, 2010, Information Technology Service Management in the Department of the Navy, had been circulated previously, establishing the Navy’s ITSM framework for “…all DON Information Technology Service Management processes being developed or updated within the DON.” The direction being set was clear and unmistakable: no longer will individual and disparate commands and activities regulate their own IT assets and infrastructure — they will now align with an established ITSM architecture and governance construct to ensure Navy Enterprise IT is governed and managed proactively using industry best practices and frameworks (like ITIL), and international standards (like ISO/IEC-20000) for the effective and efficient delivery of service.
Commander, Navy Cyber Forces Rear Adm. Diane Webber said, “We assure the readiness of our aircraft, ships and submarine warfare capabilities by monitoring them against established standards reinforced with specialized and integrated training, manning and equipment. And yet, we continue to operate our networks without Navywide standards and without a common discipline across our IT workforce.”
On April 17, 2012, policy directives and guidelines for ITSM were fitted with a new pair of boots on the ground with the establishment of the Navy IT Service Management Office (ITSMO), a joint venture between the Fleet Cyber Command (FLTCYBERCOM) CIO-1 and the NGEN Program Office PMW-205. Originally chartered to provide an enterprise IT governance and management construct for the NGEN program, the Navy ITSMO has expanded its offerings beyond the program scope and has developed deliverables and artifacts for the Governance of Enterprise IT (GEIT) that have an organizationally-agnostic flavor. One of the flagship products developed by the Navy ITSMO is the Navy Process Reference Model (NPRM).
The Navy ITSMO leveraged the 26 ITIL processes and added additional processes and components from ISO/IEC-20000, COBIT and others, to produce a DoD-specific process reference model that contains 34 interlocking IT processes — everything from Access Management to Workforce Management — that defines inputs, outputs, controls, roles, responsibilities, and tool and skill recommendations and incorporates Continual Service Improvement (CSI) principles within each process. A chief distinction of the NPRM is the incorporation of the ISACA COBIT 5 governance model which emphasizes the evaluate, direct, and monitor (EDM) activities necessary for government oversight and control of its own, or vendor-managed infrastructure. The NPRM version 2 is scheduled for publication in April 2014 and provides a solid foundation upon which Navy organizations can construct or improve the management of their enterprise and IT infrastructure.
With the advent of the NPRM, Navy IT organizations now have a baseline process architecture model against which to build their own organizationally-relevant framework for the delivery of IT services. However, the NPRM alone doesn’t answer the important questions surrounding how well those services are being delivered. To aid in assessing whether their IT processes were performing as designed, the Navy ITSMO added the Process Capability Assessment Tool (PCAT) to its arsenal of service offerings.
The PCAT helps organizations objectively quantify the quality of their process performance, and by extension, the quality of their service delivery. The hard truth is that if you don’t measure the quality of your processes and services, you don’t really know if you’re actually delivering what the customer expects. As a tool in the hands of a trained assessor, the PCAT fosters an enterprise approach to IT service quality, taking a holistic view of process capability and performance through five lenses: Performed, Managed, Established, Predictable and Optimized. See Figure 4.
This assessment model provides the criteria to capture process performance metrics and assess capability against the five dimensions (levels) of capability and automatically calculates assessment input and provides a graphic depiction of capability. “So what?” you may say. A fair question – if you either don’t understand the value of quality or worse, don’t care. But neither is the case for managers charged with ensuring quality delivery of IT service; they just need a way to measure it. The PCAT helps them do that using an approach that conforms to international standards for assessment (ISO/IEC-15504) and provides a concrete gap analysis of current to target-state process performance.
Implicit in the analyses of process performance are the CSI tenets of the “Deming Cycle” — the familiar but often elusive Plan-Do-Check-Act (see Figure 5) sequence of events that build on every-increasing baselines of capability to arrive at and maintain a level of quality service delivery that is classified by industry as “customer delight.” Customer delight is generally defined as surprising a customer by exceeding his/her expectations for quality service to the point that it creates a positive emotional reaction. Delighted customers are the ones who take the time to fill out positive surveys and actively advertise by word-of-mouth.
The NPRM and PCAT are but two of the products created and maintained by the Navy ITSMO. ALCOM 193-13, Navy Enterprise IT Service Management Office (ITSMO) Establishment, was released in September 2013 to inform ITSM stakeholders about the many and varied tools, templates, guides, frameworks, standards and expertise offered by the ITSMO.
In another example, the ITSMO has developed a comprehensive ITSM Lifecycle process (see Figure 6), with documentation and templates that can be used by process design teams to craft their ITSM construct around organization-specific and unique requirements. The lifecycle maps a logical and progressive design evolution from initial strategy development and planning through deployment, operations and sustainment with management review checkpoints along the way. Taken together, the entirety of the ITSMO capability available to the ITSM stakeholder is represented in the Service Management System (SMS), defining specific practice areas for IT Governance, Process Architecture, Service Quality Management and Assessment and Audit. Using the ITSMO SMS (see Figure 7) offerings and expertise will empower commands and organizations to:
- Set Standards.
- Drive Behaviors.
- Monitor and Verify Results
- Influence and foster CSI.
Let’s take a closer look at how this is done. First, standards and standardization are applied to the environment. While ITIL is not a standard (in that it is not auditable), it nonetheless provides a framework around which to build or enhance an enterprise IT construct to which standards can then be applied.
Using ITSMO products such as the NPRM and PCAT containing service-supporting processes, activities, tasks, outcomes, roles responsibilities and skills, as well as leveraging DoD guidance from the DoD Architecture Framework (DODAF) and Defense Enterprise Service Management Framework (DESMF), organizations can begin with a solid basis for best practice implementation. The ITSMO continues to blaze a trail toward enterprise standardization through active participation in shaping the DESMF versions 2 and 3 by leading several DESMF working groups, as well as helping to inform the DoD ITSM Policy as a working group member.
Secondly, driving behavior and conformance through the issuance of IT Governance policy tied to the ITSM Lifecycle will begin the process or organizational change necessary to gradually morph the culture toward a more service quality-oriented enterprise. The policies define behavioral and competency requirements, including skills, training, and collaboration, among others. Behavior is further steered through the establishment of communities of interest, (COIs) that drive a unified message through the organization. The ITSMO has recently developed a collaborative COI for the ITSM stakeholder community through the DoD milSuite portfolio of products.
Thirdly, continuous monitoring, sampling and verification of results are key to driving CSI and institutionalizing gains in quality and efficiency. This is where the PCAT can come in handy as an integral piece of the Plan-Do-Check-Act quality enhancement toolset. Buttressed by the ITSMO Performance Guide and Service Quality Plan which are themselves based on the ISO/IEC-20000 standard for Service Management, organizations have ready-made templates available to them for creating and sustaining service quality and continual improvement activities.
Lastly, if no one knows about your initiatives, they can’t actively participate in changing the culture. Evangelizing organizational change initiatives simply means getting the word out – loud and often. Strategic Communications is the purview of IT Governance to harmonize the various communication paths, channels and outlets into an orchestra that clearly communicates thought leadership, direction and intention. Strategic Communication is not one-way – providing a capability for stakeholders to communicate up the organizational tree affords governance with critical insight into stakeholder understanding and acceptance (or lack thereof) of ITSM initiatives.
The ITSMO has developed a Strategic Communications Plan detailing multi-channel stakeholder outreach, including newsletters, organizational stakeholder analysis, portals, a service request system, product overview briefs and audience-based messaging. Again, these artifacts and templates can be leveraged by any organization to create a working Strategic Communication infrastructure and oversight capability.
“As we mature our Information Dominance capabilities, we must now provide a similar systematic readiness approach to the delivery of the high quality IT services crucial for effective Command and Control (C2), Battlespace Awareness and Integrated Fires. The Navy IT Service Management Office (ITSMO) and its associated standards and guidance are an essential and timely contribution to the Information Dominance community as we seek to converge our Navy enterprises, measure their integrated capabilities and improve our overall level of readiness,” Rear Adm. Webber said.
So, let’s put it all together…
The strident questions many IT managers have about how best to manage, measure and improve their environments while dealing with the daunting complexities of today’s Enterprise IT environments are answerable, at least to some degree, through the use of established international standards and industry best practice. These resources as cataloged by the Navy ITSMO and other DoD enterprise frameworks, allow the Navy to be more prepared for the challenges of proactively managing a rapidly changing IT landscape, with the confidence that comes from knowing the techniques described here for IT Governance and management are being applied on a macro scale around the globe.
Organizations now have abundant resources and expertise to advance the professional IT workforce and increase the probability for success of their initiatives while monitoring and optimizing the costs across the enterprise. Setting the standard through governance, driving behavior through policy, monitoring and measuring for quality, and evangelizing the intent, direction, goals, successes, quick-wins and organizational attitude for quality service are the puzzle pieces needed to complete a transformation in your Enterprise IT.
“The Navy ITSMO expertise proved helpful in providing experiential background, process information, and content for Edition II of the DoD Enterprise Service Management Framework (DESMF). This group provided leadership, continuity to the framework, and served as an integral part of moving forward with process alignment and the Joint Information Environment (JIE), said Drew Jaehnig, chief of the Defense Information Systems Agency ITSM Office.
Mukesh Barot is currently the IT Service Management Lead for the Navy ITSMO and can be reached at email@example.com.
About the Navy ITSMO
Chartered in April 2012, the ITSMO provides IT Service Management thought leadership and assistance by creating usable products and services for the Navy ITSM community. The Navy ITSMO strives for alignment of enterprise IT architecture through discreet but interlocking practice areas to help define and support organizational IT governance and management requirements. The Navy ITSMO resume boasts industry-certified expertise in ITIL, COBIT, program and project management, DoDAF, IT Risk Management and Control, IT Skills Framework, Service Quality, CMMI, ISO/IEC-20000, ISO/IEC-15504, Information Security, Enterprise IT Governance, and Assessment and Audit.
The Navy ITSMO Wiki is located at: https://www.milsuite.mil/wiki/Navy_IT_Service_Management_Office.
Access to milSuite is CAC controlled. First time users will need to register using their Common Access Card (CAC) with milSuite by clicking the Register button, confirming their information and clicking Submit.
The NPRM is available for download on the ITSMO portal at https://usff.portal.navy.mil/sites/fcc-c10f/cio/1/ITSMO/default.aspx.
Stakeholders can request a process-specific PCAT tool from the ITSMO through the ITSMO Service Request System:
Note: Access to the ITSMO web portal requires a Navy Forces Online (NFO) account. Email firstname.lastname@example.org for instructions for obtaining an NFO account.