Just over a month ago, the Army put a foundational piece of its cloud infrastructure in place.
In February, the common secure environment for unclassified software development received its authority to operate (ATO). This means anyone in the Army now can go to this cloud service, develop a new capability, get it into the field in days or weeks and do it securely.
Paul Puckett, the director of the Enterprise Cloud Management Office for the Army, said this DevSecOps platform is central to the new cArmy initiative, which will transform and standardize the service’s approach to delivering capabilities to warfighters.
“We already have an operational application that is in production and actually has adoption globally, helping to save time for essentially our depots across the Army today and the way that we handle logistics,” Puckett said during Federal News Network’s DoD Cloud Exchange. “It’s definitely at the early stages when it comes to the people and the processes because these are new for the Army.”
Similar to the Air Force’s Cloud One and Platform One programs, the Army recognized in 2020 that it needed some fundamental common services to ensure security, standardization and ease of use to truly take advantage of the cloud and deliver applications and services to the mission areas.
The Army published a new cloud strategy that focused on not the technology, but reimagining the way the service develops, uses and modernizes its technology and infrastructure.
“The Army needs three fundamental things if we’re going to accelerate cloud adoption. You need to provide common services that shouldn’t be something where everyone is rolling their own. You have got to provide a common secure environment for the Army to use. You’ve got to provide common secure software development tools and resources for the Army to use in this world of DevSecOps. And you’ve got to provide common tools and resources to manage data, to be able to discover and use and share data in the most basic form,” Puckett said. “Those are the three foundational things that’s going to allow us to grow.”
For Puckett and the Army, it’s not just about growing the cloud or the number of applications. It’s a wholesale change in their entire approach to modernization.
“When I have the ability to have literally a global infrastructure on demand at the push of a button, that means all of my business processes need to change, all my security creation processes need to change, the way that I drive after acquisition needs to change. And ultimately, the way that our systems are designed to where they share information also needs to change as well,” he said. “We codified this in the cloud plan. There are actually a few strategic objectives that we call out there, six specifically. But first and foremost, you can see this really reflected in how the Army’s been driving after cloud to accelerate data driven decisions. And that’s really objective number one.”
cArmy to accelerate data to decisions
Puckett said the Army doesn’t just want to “lift-and-shift” the contents of its data center into the cloud, which he said was what was happening during the early days of the movement.
Instead, the cloud strategy and cArmy aims to field software faster, accelerate data-driven decisions and change the design, security and overall impact of the capabilities.
“We need to change our security accreditation process. We need to get the people that actually have these skill sets. We need to establish cloud design, software development and data engineering as a core competency. We need to also design software to be adaptive. This is an unpredictable world. COVID-19 clearly taught us that. And we need to design our systems to be able to adapt in real time to the way that the world changes in our needs. And then finally, we need to be accountable,” he said. “This is foundational to the way that you run and operate an enterprise. You need to be able to see everything that’s going on within this ecosystem. There’s a certain type of oversight and monitoring that needs to exist, and a certain amount of control to ensure that we’re building IT systems that are not only solving a problem and completing a mission, but they’re also secure.”
The cArmy initiative is as much about control as about the freedom to the mission areas.
Puckett said cArmy’s tools and capabilities ride on top of a multi-cloud approach so each base or command can decide how they want to meet their mission goals.
“Let me take care of all that low-value stuff that just has to be there. So you can focus on the high-value stuff for your mission,” he said. “What we’ve seen is rather than taking 9-to-12 months for a system to move to the cloud, be accredited and then be available, we had one that started February of 2020, and they went operational in May of 2020. So a three month turnaround timeline for adopting cloud. We’re dramatically cutting down the lead time to become a running capability. That’s critical to get feedback and improve on the resources or the capabilities that we’re fielding within the cloud today.”
Security must become inherent
The Army is not trading speed for security. The DevSecOps process automates much of the security oversight that the Risk Management Framework demands.
Additionally, as the Army changes its architecture and design processes to take more advantage of the cloud, the security become more inherent.
“This notion of shifting security left, we’re starting to then have much better system designs. We’re starting to move higher up the technology stack, so we’re able to just start to provide these ecosystems as-a-service that already have security baked in, which will simply let people focus on the application layer, the data layer, and not hold all these crazy opinions in the technology stack that just is going to become technical debt over time,” Puckett said. “What this means is it has more resilient architectures. They become more cloud native, and that means that if we want to add new features or patch, it’s not a notification of something that we can’t do for a plan of action and milestone (PoA&M). We’re able to now patch these systems in real time, and that speed is really critical when we talk about the risks that we see today in the digital domain.”
Puckett added the Army only will be successful in using these tools if commanders understand what the problem is they are trying to solve in the first place as well as the data that goes with it.
“This journey to really see ourselves was codified in the data. The cloud execution order is really needed to understand our data because we see data and our ability to leverage data as foundational to contributing and winning in the domain of machine learning and artificial intelligence,” he said. “The precursor to machine learning artificial intelligence is what data do I have, and what I think is important about that data to then let us start to learn and kind of grow in that ecosystem. We look at your system design and we look at what data you have, then it starts to see some little patterns start to emerge.”