Oregon CIO Dugan Petty realizes that reforming IT procurement is a job that never ends. He was a procurement officer in Alaska in the 1980s and faced problems with technology contracts then. "We found ourselves addressing sophisticated technology with the same terms and conditions used to buy sand and gravel," he said. "They just didn't fit."
Fast-forward 25 years and Petty is still addressing IT procurement as Oregon's CIO. He and state Chief Procurement Officer Dianne Lancaster rolled out new guidelines this year meant to increase agencies' flexibility to negotiate terms and share risk between the state and IT service vendors. "These issues just come with the territory of IT procurement," Petty said. "Technology is always changing rapidly and procurement laws are much more static, so there is bound to be a collision."
That collision is often between state procurement officers and software vendors and consulting firms, who have long complained that terms and conditions of state contracts are out of line with commercial norms.
Vendors argue that the complexities of IT service agreements are not well suited to uniform application of a standard set of terms and conditions. They have been particularly adamant in their disapproval of contracts that contain no limit on vendor liability if something goes wrong; their second biggest bone of contention is ownership of intellectual property of systems developed by vendors for government agencies.
Lower down their list of complaints is the requirement in states like Kentucky that vendors carry performance bonds. It has become increasingly difficult and expensive for companies to get bonding authority, and companies don't want all their bonding authority tied up for a few years in anticipation of winning a particular contract.
Of course, contracting in state and local government has always been different than in the private sector. Public purchasers face mandates and accountability to legislatures and governors, so the rules must be different. But vendors complain when states either refuse to negotiate, or when bids are examined on a pass/fail basis and anything that deviates is thrown out.
"That might have worked when you were just purchasing equipment," said Bob Metzger, an attorney with Pillsbury Winthrop Shaw Pittman who works with the trade organization TechAmerica. "But the states' needs have changed dramatically, and they are now purchasing a lot of complex services and systems that require interoperability."
CIOs have a keen interest in how IT contracts are negotiated. Their job is to help agencies use IT to achieve their goals and reduce recurring costs.
"The problem CIOs have is that although they set policies on IT, they do not always control acquisition policies related to IT," Metzger said. "There can be real tension around acquisition technique between CIOs and procurement officers."
The National Association of State Chief Information Officers (NASCIO) recently conducted a survey on limitations on liability in state IT contracts. Of the 49 state respondents, 28 states now provide some limitations on liability for vendors; 16 do not; and five offer limitations on a case-by-case basis.
According to NASCIO Policy Analyst Chad Grant, those numbers represent a drastic change from a 2004 survey that showed a majority of states had no limits on liability. Many states now use a multiplier of one or two times the contract's value as the liability limit. Grant said New Jersey has been innovative and gone to a range of multipliers starting at 100 percent of contract price and ranging all the way up to 500 percent.
"They have a risk management team working to assess, contract by contract, which liability level makes the most sense," he said.
The biggest reason for the change is that states were noticing that fewer companies were bidding on their projects, Grant said. "These companies couldn't justify putting their whole business on the line over the value of one contract."
What follows is a roundup of innovations in IT procurement at the state level to foster greater competition. Some involve changes to terms and conditions, while other states have sought to increase communications between agencies, state CIO offices, procurement officials and vendors to speed up the process.
Lancaster remembers it like it was yesterday. In 2008, she was at a national conference and overheard vendors talking about a client case management system RFP for the Oregon Department of Human Services that drew only one bid. Large players, such as IBM and Deloitte, chose not to bid because they didn't like Oregon's terms and conditions.
"As a procurement officer, my job is to encourage as much competition as possible, so in that case I feel like I failed," she said.
Lancaster, who also is president of the National Association of State Procurement Officials (NASPO), called that meeting a real wake-up call. Upon further review and discussions with CIO Petty, she realized many IT service contract bid prices were too high because they reflected increased risk mitigation and that the state's solicitation timelines were often excessively long.
Lancaster convened a task force that consisted of Petty, four agency CIOs, an assistant attorney general, state procurement people and representatives from TechAmerica.
"We had to develop something commercially reasonable for business risk allocation," she said. "It helped to have supplier advocates in the room. We were also lucky that we didn't have to go to the Legislature or even revise administrative rules. We just had to make up our minds to do it."
The state developed six templates for contracts that agencies can choose to start from depending on the type of IT work. The basic template sets the liability at one times the contract's value. Changes were made to language regarding intellectual property rights. The state determined it does not need to own the rights, but does need broad rights to use software.
"We are starting from a very reasonable position," Lancaster said, "so that should cut down on the negotiations required."
Petty agrees, but acknowledges there's still work to do. "These half-dozen forms make a better starting point than one size fits all," he said, "but it requires that people in agencies exercise judgment about the business risks they are willing to accept."
The state has begun a two-year pilot to train staff, evaluate the impact of the new terms and do some measurement.
"We have gained some good will," Lancaster said. "We worked diligently to truly make some changes to help the state government be better business partners on IT."
Tennessee passed legislation in 2000 that allowed procurement officials to set limitations of liability for IT service contracts at two times the contract amount, but even that seemed too rigid to negotiators in the Office for Information Resources.
"I was well aware that this was costing us money and that vendors weren't bidding on contracts," said state CIO Mark Bengel. "Vendors were assessing risk and figuring that into contract bids, and it was limiting competition."
In 2007, Bengel convinced the Legislature to amend the 2000 law to permit even greater flexibility on liability. "Now we have the option of setting the liability below two times the contract amount, and we just did that on a recent SACWIS [statewide automated child welfare information system] project," he said. "I don't get involved in these issues so much in my day-to-day tasks, but on any large statewide contract, I will get involved in those liability issues."
With liability less of a sticking point since the legislation passed, the state still struggles with assigning intellectual property rights, said Travis Johnson, a contract specialist in the Office for Information Resources.
Tennessee's position is if a vendor develops computer code that the state is paying for, the state owns that code. But vendors may bring 99 percent commercial off-the-shelf software and customize 1 percent. "That becomes problematic for the vendors who want free and clear title," Johnson explained. "We are struggling with those rights negotiations on a case-by-case basis."
Anne Rung admitted that before Pennsylvania instituted major procurement reform in 2003, purchasing was decentralized and unsophisticated. "There was little understanding in agencies about total cost of ownership, and the same people who were ordering information technology services one day were ordering socks the next," said Rung, deputy secretary for administration and procurement in the Department of General Services (DGS).
The 2003 reforms moved 150 employees into the DGS to create teams of commodity experts, including IT staff. Then in 2008, those staffers worked with the Office for Information Technology to refine Pennsylvania's invitation to qualify (ITQ) contracts to optimize performance. (ITQ is a system in which vendors prequalify to bid on contracts and agree to all the terms and conditions ahead of time.)
"We were hearing from vendors that our terms and conditions weren't business-friendly and some vendors were less inclined to bid," said Rung. The state team sat down with 50 IT vendors and worked through the language and terms of changes.
The state changed from unlimited liability to one times the amount of the contract. It also made changes to ensure that intellectual property ownership rights are fairly allocated, she said. In the past, agencies only had to solicit one vendor if a contract was less than $50,000. Now they must solicit all vendors that have qualified in a certain category.
"We are seeing a reduction of 25 to 30 percent in the time it takes to procure IT services," Rung said. "It is a fairly easy enrollment process, and we have taken steps to ensure we have quality vendors enrolled. We now have 500 suppliers qualified in 14 IT categories, and have done $18 million in contracts using the updated contract."
Betsy Hayes, professional/technical contracts manager for Minnesota, had been hearing from IT vendors that while smaller companies may be willing to sign their lives away, larger companies have much more to lose and are more cautious about liability concerns.
It was also obvious that one size does not fit all when some contracts have very minimal exposure to risk and others involve reworking the state's entire financial system. "Having the same clause for all cases is moving in the wrong direction," she said.
"We decided to work closely with our Office of Enterprise Technology to develop a menu of options on liability provisions, so that there is a basic master IT services contract, that is quiet about liability, and then there are four options that agencies can choose from, ranging from very favorable to the state to much more palatable to vendors," she said. "So the agency personnel can assess the situation, look at these menu options and insert the requirement."
Or, Hayes added, they can insert more than one version and the vendor can choose which option it will abide by. Or vendors can choose more than one option and offer a price differential for each.
She admitted that agencies still tend to choose the most stringent terms. "I think this is a matter of educating agency officials who have less comfort doing the types of assessment necessary."
But Hayes views the creation of the master services contract as a success. "We have more than 300 vendors signed up to take part in the master contract program," she noted, "and I think if the standard liability language is all that we offered, many of those would not be participating."
Turnaround in Iowa
A March 2008 report to the Iowa Department of Administrative Services (DAS) by private consulting firm State Public Policy Group was quite blunt in its assessment. "Iowa is viewed as difficult to work with in RFP and contracting processes, particularly in comparisons with other states," it said. "Simply stated, it is near-universal among vendors that the Iowa procurement processes make it too difficult for vendors to ascertain the state risks involved in a project, and unlimited liability provisions make it impossible from a business perspective for corporate leaders to allow the company to undertake a project with such significant uncertainties."
Since that report was issued, Iowa has taken several steps to rectify the situation. Legislation passed in 2009 instructed DAS to adapt rules on limitation of liability, although it didn't specify what they should be. After holding several meetings with the vendor community, DAS officials set liability at one times the contract amount, but if agencies believe there's greater risk involved, they can seek approval for higher rates.
"Anecdotally we are getting more responses to bids," said Debbie O'Leary, administrator of DAS Procurement Services. "Besides more competition, we are also seeing time savings on negotiations," she added. "These contracts used to take months to negotiate, but it is much more effective now that those issues are settled up front." DAS has changed other practices as well. Previously if vendors took exception to certain terms and conditions, their proposals were thrown out. "That has changed," O'Leary said. "Those questions are looked at more closely."
In California, 95 percent of IT commodity procurement can be completed in less than a month, and even IT service procurement up to $1.5 million happens fairly quickly, said Adrian Farley, director of the California Office of Technology Services. But traditionally, larger IT service procurements have taken much longer, and the state has taken several steps to address the problem. Along the way, it has introduced several procurement innovations.
The first approach, referred to as "RFP boot camps," involves project teams that integrate the Department of General Services, the Office of the CIO and agency teams in the early stages of the procurement process. "One of the biggest problems in IT service contract procurement involves unclear business requirements for vendors to respond to," Farley said. "These boot camps get us in on the ground floor to help establish business requirements and describe how the project relates to our enterprise architecture."
The first project to use the boot camp model involved a $25 million California Department of Transportation construction management software contract. The procurement, which previously might have taken two or three years, Farley said, was completed in just nine months.
California is also experimenting with multistage contracting. In stage one, multiple vendors are paid to develop a basic "proof of concept" model of their approach to a problem in what is referred to as a "bake-off." In the second stage, one vendor is chosen to expand its proof of concept to the entire system. The first example involved an $80 million contract for the state's human resources and payroll system, a contract won by vendor SAP in less than a year.
"The two-stage system helps vendors gain greater clarity into the needs of the state," Farley said, "and into their own risk."
Although they don't yet have complete data sets to prove it, IT and procurement officials in states that have made changes to terms and conditions report a noticeable impact in terms of increased bidding. Many of them say that with a more flexible process that does not impose all the terms, they end up with better pricing and more innovative solutions.
"It boils down to how we are organized to manage procurement, and a production line model really isn't working in the technology arena," Oregon's Petty said. "It breaks down. The dynamics of agreements are different each time." He added that with technology changing, terms must be reconsidered. "For instance, we have to figure out what the terms are for software as a service."
Groups like NASCIO and NASPO are working with their members to develop a set of best practices. Oregon's Lancaster said a task force at a multistate procurement organization called the Western States Contracting Alliance is hard at work on a set of standard terms and conditions for IT procurement it hopes to propose to its members in 15 states by this fall.
"It helps states to do an environmental scan to know what is going on in other states and be able to look at other innovative policies," NASCIO's Grant said. "Without that type of scorecard, it is hard to judge your own performance."
In states that still have unlimited liability, such as Oklahoma, he said it's up to the CIO to reach out to the legislature or the attorney general's office to explain why the current terms and conditions aren't working for them and propose changes. "It comes down to the people in charge making decisions about how much risk they want to take on."