The Air Force is moving beyond requiring airmen to use smart identification cards to log onto its computer network. The service now is making its network security even stronger.
Lt. Gen. Bill Bender, the Air Force’s chief of information dominance and chief information officer, said the use of role-based authentication should be “baked- into” its IT systems in the future. “It should make life a whole lot easier for the user,” he said. “When they pick up and move to a different location, anywhere they are globally, they are recognized for the access they’ve been granted, and continue to operate as if they were at their home station. This is one aspect of many that needs to be addressed and thought through in a way to move us into an applications-based, single security architecture that ensures the security of those operating on the network going forward.”
Bender said the Air Force is already migrating some of its common computing environment to the Defense Department MilCloud and the use of role-based security is one of several cybersecurity architectures the Pentagon is putting in place.
“We are not ready for prime time yet, but there is a lot of good work being done by the chief technology officers out there and by the program executive offices, specifically, in this case, at Hanscom Air Force base to address the security concerns,” said Bender, who took over as Air Force CIO in June for Lt. Gen. Michael Basla. “I think we are looking at a lot of the foundational work is being done now, and it’s not unreasonable to say a year to two years we should see rapid advancement. All of these efforts, data center consolidation, application rationalization and migration, the common computing environment and the architecture work, all of that is being done simultaneously, so I think we are in the ‘go as fast as we can’ mode, but there’s also some constraining points. Where’s the money going to come to pay for this? And then where are the ‘no kidding’ engineering hurdles we need to get across?”
The Air Force already is in the middle of several pilots that will help it figure out where to go with several emerging technologies, including mobility and shared services for email and Microsoft SharePoint under the Joint Information Environment (JIE) construct.
New IT foundation being put in place
The JIE underpins much of the DoD’s technology innovation and evolution going forward.
The Air Force and the Army launched the first instance of the Joint Regional Security Stacks (JRSS) in September.
The new security plan, centered on a new system of Joint Regional Security Stacks (JRSS), reached initial operating capability at Joint Base San Antonio (formerly known as Fort Sam Houston and Lackland Air Force Base). Those neighboring Army and Air Force installations are now managed administratively as one joint base. But until recently, there wasn’t much jointness in the way the two services operated their IT networks. Similar to all of the other services’ installations, the Army and Air Force have been operating their own cybersecurity architectures at a local level — in this case, two of them. Under the JRSS construct, the Army, the Air Force and, eventually, the Navy will hand off most of their base-level cybersecurity functions to 11 regional, jointly-operated facilities.
“I think there is a lot of momentum starting with the DoD CIO with Mr. [Terry] Halvorsen and his team as well as each of the services, really tied together in our efforts to go jointly into the future. The Air Force is trying to first demonstrate full partnership. We’re behind JIE as a concept and certainly the first initial steps with the laying in and equipping of the JRSS,” Bender said. “But at the same time, the Air Force has three-plus years with a single security architecture with the AFNet, so in a lot of ways we want to lead both the definition of the architectures involved here to make sure we leverage that experience that we have, and at the same time, in operationalizing the JRSS and the pieces that follow that make up the JIE.”
He said the use of JRSS is the next evolution of the AFNet in many regards, and gives the service added security and a joint solution.
“The one caution and perhaps a slight difference of our perspective from maybe some of the other services is that we want to be very careful to keep it affordable,” Bender said. “We know we have tremendous expenses facing us in the out years. so the balance that we need to play in perhaps limiting us to the gold standard instead of the platinum standard, recognizing that gold is still better than where we are today and then always leaving the door open to making improvements so an affordable, agile approach to the JRSS, and the JIE writ large is where the Air Force is trying to lead this discussion.”
He added requirements creep is a real challenge to the JRSS program. Bender said the goal of the JRSS and the JIE need to stay focused on its goals.
“One added concern here is that JIE is a concept and not a program of record. In order to go fast, knowing that it is an imperative for us, in some ways we have sub- optimized our ability to use the Air Force corporate process, and I’m only talking about my service in this case, but I’m sure there is a parallel for the other services, getting the money to do what we need in terms of meeting JRSS is complicated by the fact that we are outside of the normal corporate process,” he said. “I think it’s a necessity and we are working very hard to pull on both of those threads in order to get what we need to move forward. We know what we need to get there.”
As part of that Air Force corporate process, Bender plans to continue Basla’s initial move to further empower the CIO position.
Bender said the JRSS and the JIE need to stay focused on their goals and not try to do too much that will increase the costs of the efforts.
“Our governance structure, the governance executive board, is a way to align with the Air Force corporate process in a way that we bring IT considerations forward in the planning, the programming, the budgeting and the executive phases,” he said. “So aligning ourselves with our governance for IT in conjunction with the annual corporate process, so for example, when I run a December IT governance executive board, we will be looking at program guidance for the 2017 year. So, we will inform that through some of the decisions we make related to IT. A second thing is working hard to find ways to be informative and a part of the investment strategy.”