As the Pentagon’s top enterprise IT official sees it, many of government’s previous rationales and strategies for moving to the cloud failed to adequately answer a key question: What do we do once we get there?
With that in mind, the latest strategic framework not only has a new moniker — it’s now called the Software Modernization Strategy — it also tries to force the department to ask deeper questions about the actual mission value of cloud and the other “enablers” that need to fall into place to make the best use of it.
“After the initial cloud strategy that we published in 2018, we began to realize that the mission impact was not immediately jumping out at folks,” Danielle Metz, the department’s chief information officer for information enterprise said during a keynote discussion at Federal News Network’s second annual DoD Cloud Exchange. “We’ve broadened the aperture of what we think the problem statement is: It’s how do you develop and get capability to the warfighter in a quick and agile fashion at the speed of relevance? It comes down to harnessing the power of cloud compute and then being able to natively build applications continuously and often in that space.”
Speeding delivery of secure services via cloud
While cloud technologies are still central to the strategy, nowadays, their existence and availability are almost taken as a given.
So the new framework, signed by Deputy Defense Secretary Kathleen Hicks, is more about shortening DoD’s software delivery times, which includes institutionalizing policy exceptions that have helped dozens of development, security and operations (DevSecOps) software factories that have sprung up throughout the military services thrive. Plus, it aims to tie them together in an integrated ecosystem that shares code across various existing repositories.
“The fact that you’re virtual, in the cloud, affords you the ability to share — and you actually want to share — because that’s where you get innovation and collaboration,” Metz said. “I think it really is a cultural shift from having a physical instantiation of something and saying that it’s yours, to being in a space where you can actually play, use and inspire for others.”
DoD Software Modernization Strategy builds on DIB recommendations
The strategy was heavily influenced by the Defense Innovation Board’s 2019 “Software Acquisition and Practices” study, which made 10 main recommendations for how to bring DoD software development into the modern era.
And it includes plenty of objectives that the DoD CIO office can’t achieve by itself, like making much broader use of a new software-specific pathway within the DoD acquisition system, reforming the budgeting process for software-intensive systems and trimming away policies that get in the way of agile development.
Metz said that’s why the deputy secretary’s signature on the new strategy was essential — as is the fact that the implementation plan that will follow behind it later this year will be drafted not just by the CIO Office but by a new Software Modernization Senior Steering Group (which includes senior officials from the offices of the Undersecretary of Defense for Acquisition and Sustainment and the Undersecretary of Defense for Research and Engineering).
“Below that, we have an action officer working group that is 50 members strong, and they’re the ones who are actually going to put pen to paper and work this through,” she said. “We also have a cross-functional team with representatives from the military departments, the fourth estate, program executive officers, operators and acquisition experts. We really want to have that full complement because we really believe that this challenge is not just for one organization or one skill set.”
Finding a commercial and private cloud balance
Another major way in which the new strategy differs from the Pentagon’s previous cloud strategy has to do with the cloud environments themselves.
The previous iteration, written at a time when DoD was still pursuing a single-vendor approach for its enormously controversial and now-cancelled JEDI Cloud contract, tried to straddle a line between claiming the department would embrace a multi-cloud approach while simultaneously trying to push most of DoD’s cloud consumption into JEDI.
The new version is more permissive, recognizing that the military services have had success standing up and using commercial cloud contracts of their own during the interval when JEDI was delayed by numerous, years-long bid protests.
JEDI’s replacement, the Joint Warfighter Cloud Capability (JWCC), expected to be awarded later this year to up to four vendors (but perhaps as few as two), will not be mandatory.
In the near term, it’s mainly meant to serve the “fourth estate” combatant commands and Defense agencies that don’t currently have direct access to cloud procurement vehicles, Metz said.
“But this truly is going to be an enterprise cloud service for the entire department that will provide the full complement of what is currently missing,” she said.
The main missing pieces, from DoD’s perspective, are cloud services that can serve every one of the military’s classification levels, from unclassified to top secret, and deliver one integrated cloud environment that stretches all the way to the tactical edge of the battlefield.
“The military departments already have piece parts of that, but the combatant commands and the [Defense agencies] don’t. That’s the urgent unmet need that we are working through with JWCC,” Metz said. “Unlike its predecessor, we’re not mandating this. It’s really about access for all. And as the military services need certain capabilities and services that they don’t have on their current contracts, they’re absolutely able to use JWCC when those contracts expire.”
JWCC itself is only meant to be an interim solution. Once its three-year base period and two one-year option years have run their course, DoD thinks it will have moved on to yet another enterprise cloud contract awarded through a full and open competition. But the acquisition strategy for that hypothetical procurement is still years away from being fully developed, let alone publicly announced.
Revising the ATO process at DoD
DoD’s pivot toward an emphasis on software modernization rather than cloud for cloud’s sake also comes at a time when top IT policymakers are refining their security approval policies.
The same week department released the new Software Modernization Strategy, it also issued a new memorandum laying out a new process for how system owners throughout DoD will earn continuous authorities to operate (ATOs).
The new cloud and security policies are interdependent on one another; DoD components need to be able to make good choices about where to accept risk. Those decisions need to be based on solid operational testing, the new policy makes clear. But they can’t take forever.
“We spent about eight months doing the continuous ATO memo, working through the CISO community, ensuring that they also had buy-in,” Metz said. “The continuous ATO is really focused on DevSecOps, but there is a pathway within the continuous ATO memo to bring that forward to the DoD CISO. … We want to be able to allow opportunity for innovation. If there’s another modern practice that could have an operational effect, we wanted to make sure that we can also include that.”
To listen to and watch all the sessions from the 2022 Federal News Network DoD Cloud Exchange, go to the event page.