Analytics

Monday, March 18, 2019

Post #4027 J: It's Not Just Dealing With Government Folks

I'm in the process of moving on professionally. There are a lot of things I can't say by contractual terms with the contractor and government, but I'm addressing some of the annoying points of working with the government.

In my post-academic professional career, I've often excelled in challenging situations. For a young privately-owned company later bought out by Equifax (it basically marketed statistical analyses of customer data (we did a lot of business with credit card issuers), extracts of which we stored more recently on Unix Oracle databases, often on Sun Microsystems (bought out by Oracle several years back). We still had a mainframe in our facility with high maintenance costs (like a quarter million dollars annually); migrating applications off the mainframe paid for themselves within 6 months. One of my first projects was to take our load of dozens of carts from our biggest customer which took about a full week to run via mainframe and basically convert it to a more flexible, overnight job on our Sun servers (the mainframe couldn't handle things if the carts were out of order). There were some contract terms linked to data loads; these were so important that my former manager tried to block me from going to Brazil on another project because she didn't trust my (higher-paid) replacement. The trains ran on time under my regime (usually within a day of receipt), while under predecessors, they were delayed by up to 6 months or more.

So one day the senior VP called me and basically told me the other DBA's and/or developers were going through Seagate Barracuda drives faster than the company could acquire them. He knew there was a lot of waste going on and tasked me. I went through a series of actions, including stripping privileges from developers, deleting dubious tables (some with 4-letter names), and compacting existing tables. Soon developers were griping about my "bureaucracy", but senior management backed me up. (There was a negative side to this; when my boss left the company, recommending me to replace me, the mostly mainstream developers were convinced I was management's ax-man (out to replace them with new Unix-savvy college grads) and threatened to quit if I was promoted.  There was no truth to these rumors.)

So in my current position which I started in mid-2017,  things were operational but largely undocumented  and several things were obsolete. And I had to often battle inertia every step of the way. To give a minor example, there were (OEM) management agents on the ODAs (Oracle Database Appliances); an interim civilian (government employee) DBA/developer objected to patching the agents outside of comprehensive ODA patch processes.  I had to get a response from Oracle Support and a joint meeting via my branch chief to get a buy-in.

I had to field a cold call from a government accountant or auditor this morning. questioning a sub $1000 disk invoice; there is a long story behind that. Anyone familiar with government computer security (well, maybe not Hillary Clinton) knows that the government retains and destroys disabled disks. So a few months back I encountered a bad disk on my development ODA. I had a hardware CSI with Oracle. For certain consumables, like disks, Oracle doesn't send out a technician but ships out a replacement with limited instructions. (That was an issue by itself. The new (DSC) command-line interface) did not support commands to identify the defective disk.) Plus my development ODA was in a secured facility I didn't normally have access to and so I had to arrange for a special escort.

Now here's the critical point: Oracle normally expects return of a replaced part (for part failure analysis, etc.) But realizing that some parts like disks are sensitive to clients because of potential data recovery, Oracle offers its customers DDR coverage, which basically allows the client to keep and/or destroy the consumable in question. And when the government initially bought the ODA's in 2014, they had DDR coverage.

But something happened when the 2015 Oracle Support bill came. For some unknown reason (budget decision?), the government dropped DDR coverage, effectively self-insuring against predictable disk failures. (I didn't know this; basically Oracle Sales had to discover what happened, knowing it was initially in the reseller contract.) So Oracle when it sent out the replacement disk sent a label for the part return. Well, the government's security policy hadn't changed and blocked the return.

So Oracle's contract said if you don't return the disk, we'll invoice you for the replacement. My client manager pushed me to get the price Oracle would invoice us for not returning the part. Not that he had the budget yet to pay for it. Then came a string of calls that let me to Oracle Sales, and Oracle Sales said they didn't hold said inventory; it came from Oracle Support, but their back office was understaffed, and we would get the invoice when we get  the invoice

Maybe a week or two, the client manager said his budget opened up a bit, perhaps enough to cover the disk and renewed DDR coverage. (Initially Oracle told me they wouldn't do that, that the government would have to backfill DDR premiums back to 2015.) The DDR quote submitted by the reseller had expired. So I had to get back in touch with Oracle, the reseller, erc.

I was still waiting for word this morning from the client manager that he had paid for the disk, so I could turn over the defective disk for degaussing, etc., when I got a call from this government cog basically seemed to accuse me of doing something unauthorized (I'm not sure but I think she was naive enough to believe the replacement disk should have gone out for competitive bid; no, Oracle was enforcing its contractual rights. They fulfilled their hardware support contract. But without DDR coverage, the government had to return the disk or pay a fee.) She was still in a state of denial, outlining the organization structure for procurement. Well, this is not my problem as a contractor, even less now. I hate getting caught up in government bureaucratic nonsense. The real problem is that someone dropped DDR coverage in 2015. If you want a scapegoat, find out who was the bonehead who did that.

Then there's the issue of other departments using old (11G) client software (which by now may no longer be an issue), but the key client manager had failed to communicate the higher algorithm I was using to strengthen STIG (government IT audit) compliance. (SHA-1, supported by Oracle 11G, is not accepted by current security experts; we need to be at SHA-2 or better.) I recently implemented SHA-2, known in advance by the key client managers. First, I ran into an issue with one group, and had to wait almost 2 weeks for them to upgrade their client (which in theory should have taken minutes). (I didn't know how they're running old clients for years to our 12 C database had escaped auditor's attention.) Then a second group subsequently discovered their own issue during a high profile scoring exercise. Their civilian DBA quickly escalated matters by cc'ing branch chiefs,  arguing the STIG had a legacy system exception (this was after he falsely alleged that implementing 12C client software could adversely affect his 11G server software install. After some time, I finally said to the effect, "Kevin, instead of complaining, why don't you spend 15 minutes installing the 12C client in its own home (folder)?" This utterly shocked all the civilians who regarded my response as "unprofessional", including my key client manager, who accepted blame for not communicating the algorithm change to the other 2 groups. I think it also came across that I, as a contractor, was operating outside my lane, in telling a civilian what to do, that I needed to work through the appropriate civilian group (in this case, information assurance, which I did do; they quickly make it clear Kevin needed to deploy a SHA-2 compliant client, which he is supposed to implement by sometime this week.) But my own contractor management read me the riot act, paying lip service to pursuing STIG compliance.

Finally, there's a petty issue with a petty, personality-challenged contractor program manager WB, Literally no one likes this moron. (I was recruited by BZ, his predecessor; one of his last things BZ did before leaving for an assignment else was to give me an employee award after one of my developers on a a different contract wrote a rave review over my phenomenal turnaround, accuracy, etc. on responses to his requests.) WB quickly did away with BZ's monthly meeting and has a different communication style, including a more threatening tone and nagging emails, often with a condescending, sarcastic tone (particularly in personal emails to me).

Now to provide some context for the disagreement,  contractors (as well as civilians) have to take a number of up to 10 or so general courses/annual refreshers (it varies by location and context); almost everyone does cyber awareness training. There are also local area requirements (I think I've probably had to take some 30-odd Windows online courses). One particular annoyance was we had to do both online and in-person (up to 3 hours) SHARP (sexual harassment) training; I think locally this year they dropped the online and reduced the in-person training.

I had to take all of these during my first few weeks in 2017. Then, thinking last year I could knock them out early, I was dismayed they reset the refresher expiration by the anniversary date of the exam, not the end of the fiscal year (which meant I also had to knock them out early this year). So one of these courses is TARP; no, not the troubled assets program from 2008, but Terrorist Awareness training. In fact, I ended doing my third TARP training last week.

But sometime maybe a month or two back, WB started heavily promoting a (new?) in-person TARP training taught in a large auditorium in a different area of campus. Now my official position has always been, "Look, if the job requires a second TARP training a year, I'll do it, but it seems (and in-person attendees confirm) the material is highly redundant." WB's position is that the requirement is required in the contract. But I get the certificate at the end of the test to the online training, and the online training for me is mandatory. WB sarcastically asks, "Why do you think they are holding these things in big auditoriums if people could just do it at their desks?" My branch chief (civilian) commented last month, while I was about to head out, "I don't know why all these people are going there when they can take the online training." Then WB sent me some unattributed quote claiming in-person was mandatory.

So last week there was a general organization email send out the morning of the March training, which made it clear either in-person or online training would suffice. I forwarded the email to WB maybe an hour before the second training session, asking him to respond if I needed to go. No response.

So then this morning I get yet another (third or fourth email on TARP); this time he's quoting some civilian or military person who says the organization really, really regards in-person as the default and the online is basically intended for those under extenuating circumstances. It's like a damn dog clamping down on his bone. I'm basically responding to CP, on-site lead, just under WB, what is it WB doesn't get? The online course was mandatory for day 1; this in-person doesn't do testing, and it basically is redundant in conduct.

I believe the clinical definition of WB is "an asshole".  This guy maintains a current list of anyone who has complained about me over the past 2 years, most of it petty BS, one of which was some HR person at the back office. (I don't recall the specifics; it may have been a no-notice password change issue, and I had to file my hours by a certain time.)

To be honest, life is too short to put up with WB and this nonsense. I haven't gotten a well-deserved raise. I had been contemplating a change for some time now.