The Defense Department’s information technology leaders have high hopes that they can use cloud technologies, including DoD’s new Joint Warfighting Cloud Capability Contract, to help retire decades of technical debt across the department’s business systems.
Luckily, it’s not a theoretical question. There were already some major examples of the military services successfully using cloud for their business systems long before JWCC became a reality.
During DoD Cloud Exchange 2023, Federal News Network talked with the managers of two of those systems: the Army’s General Fund Enterprise Business System (GFEBS) and the Navy’s Research, Development and Acquisition Information System (RDAIS).
GFEBS and RDAIS certainly aren’t the only DoD systems already running in commercial cloud environments, but they’re among those that have experienced clear, articulable benefits. In both cases, one big plus is the speed at which the services can keep the systems up to date and keep more technical debt from accumulating.
Tracking financial assets for the Army
GFEBS, a massive SAP-based enterprise resource planning system that the Army uses to account for about $250 billion of its annual financial assets, has managed to go through two major upgrade cycles since it first migrated to the cloud in July 2020.
Rob Porter, acting product director for GFEBS said each of those upgrade cycles would have required a couple of years of careful, upfront planning had they been done in a traditional government data center environment.
“One of the big things that we’ve been looking at is optimizing our performance — both scalability with the cloud but also with our individual virtual machines,” he said. “We found out that we could quickly change our VMs to a different type and optimize our performance, and we did that in the fall of 2020. Recently, we’ve just gone through that same review, and we’ve been able to get up to that same performance level while actually lowering our cost on a per-user basis. So it’s been a great benefit to us as far as keeping those costs down in the cloud.”
Managing Navy acquisitions
RDAIS, the system the Navy uses to manage data about its acquisition programs, has been able to deploy new releases even more quickly. There are at least two reasons for that: For starters, it’s a much smaller system than GFEBS. But it’s also one of the first DoD systems built natively in a cloud architecture.
Christine Lamer, program manager for Naval Applications and Business Services (NABS), whose portfolio includes RDAIS, said the system reached its 100th release last month, and its engineers are now deploying new code, on average, every 6.83 days — not that anyone’s counting.
“That’s no small feat in the government,” she said. “But the question we’re asking is, is it scalable? Can we do that business process reengineering with a larger program? I am actively figuring that out. I’m trying to use this model on a larger system. Every day, we are innovating and trying to see if some of these smaller successes can turn into big wins for some of our larger programs within the portfolio.”
But Lamer said her office, part of the Navy’s Program Executive Office for Manpower, Logistics and Business Solutions (PEO-MLB), doesn’t take it as a given that every single system belongs in the cloud. Among the considerations, she said, are a system’s size, complexity and whether it could achieve cost savings through a cloud migration.
Deciding whether to migrate to the cloud
“Billing transparency is another consideration, and we also look at whether the system will benefit from cloud technology,” she said. “If you have a system that’s already dispersed across several data centers, will putting it in the cloud save costs? We also look at whether we have the opportunity to modernize the technology. If we have a system that sunsetting over the next two to three years, it would not be a candidate for cloud, even if there could be some cost avoidance. If we can move it quickly, absolutely. But many times, our acquisition process does not support moving technology quickly, and that’s also a consideration.”
In the case of GFEBS, Porter said the decision to migrate the system to the cloud was a relatively easy one, even if the mechanics involved in making it happen were tough. He said the migration was partly motivated by Army mandates to consolidate and close government-owned data centers, and by the fact that the Army was already creating its own cloud contracting and migration mechanisms through what eventually became the Army Enterprise Cloud Management Agency (ECMA).
“With a migration as large as ours, it was total team effort. We got help from across the Program Executive Office for Enterprise Information Systems (PEO EIS) on everything from enterprise services to cloud, and the Business Mission Area directorate was helping us as far as cloud selection and helping us with some of the technical aspects,” he said. “We also worked with the early iterations of ECMA and with the Army Analytics Group and the Army CIO’s office to get smart on what we can do with the cloud and that we had what we needed to make sure we had contracting language to optimize what we had.”
Security also a critical cloud consideration
With both the Army and Navy programs, operating in the cloud has also gone a long way on the cybersecurity front — in terms of ensuring the systems can quickly implement DoD’s cybersecurity controls and assessing real-world cyber vulnerabilities.
RDAIS uses the Marine Corps Business Operations Support (MCBOSS) hosting and application development pipeline. Together with a continuous delivery, continuous integration platform that’s already received its own security accreditation, Lamer said her team dramatically reduced the challenges involved in the Navy’s compliance-centric security processes.
“The application development team inherits all the infrastructure and platform capabilities, to include approximately 85% of the Risk Management Framework cybersecurity controls,” she said. “That allows the application development team to focus 100% of their engineering efforts on mission capability and the user value. I believe that’s why we’re now at 100 deployments.”
For GFEBS, the cloud had meant a much simpler process for conducing red team and blue team exercises to test the system’s cybersecurity. Now, both teams’ exercises can be conducted simultaneously, as “purple team” exercises, Porter said. GFEBS is the first Army ERP that’s been able to subject itself to such an exercise, he added.
“It’s much easier to do in the cloud. For the red team especially, you need to have a dedicated environment, and we were able to spin that up within our cloud instance so that they could do the test there with both the blue team and the red team,” Porter said. “I expect the other ERPs across the Army and DoD to look to adopt those in the future. Typically, what we had done before was, one year, you do a red team, the next year, you do a blue team. Combining them reduces the cost, shortens the planning … and we’ve also seen a big pickup as far as what we’re able to remediate. We’ve done quite a bit on our vulnerability management.”