Addressing cyber shortages and going after zero trust: Pentagon’s efforts to modernize its forces

This year Federal News Network heard from top defense tech officials about their priorities, developments and plans as the DoD is moving forward with its modern...

While emerging technologies, including artificial intelligence dominated tech conversations, zero trust implementation, software modernization and cyber talent shortage still remained top of mind for top tech officials at the Defense Department.

JWCC memo is setting the scene for future hybrid cloud advances

The DoD CIO’s  August memo directed the military services to purchase future cloud capabilities across all classification levels using the Joint Warfighting Cloud Capability (JWCC) contract.

The memo, however, is not about mandates. It is more of a scene setter for how the Defense Department should be moving forward with its efforts to move each service’s cloud capabilities to the JWCC.

“It basically tells the department that our intention is to maximize the use of JWCC, this enterprise cloud, multi-cloud capability to the maximum extent possible. In addition, it lays out that now that we have this multi-cloud capability for the enterprise, how do we look at what we have already in all the clouds, which have sprouted up for [real] needs, and help us rationalize?” Lily Zeleke, the deputy DoD CIO for information enterprise, told Federal News Network in August.

DoD awarded the multi-vendor cloud contract to Amazon, Google, Microsoft and Oracle in December 2022, marking the beginning of a new era for the DoD efforts to modernize its cloud ecosystem.

Barely a year into the JWCC, DoD is already considering the follow-on contract for JWCC. DoD CIO John Sherman said that they will start to consider “JWCC 2.0.” in the coming year.

“We said all along, in 2024, on that timeframe, we’re going to start looking at what comes next. And no, I don’t have a date for the [request for proposal] or exactly when this is going to come out. But I will tell you we are firmly committed to multi-cloud, multi-vendor, and this is what we’re going to be doing going forward,” Sherman said at the annual DoDIIS conference on Dec. 13.

The military services are reviewing their cyber capabilities

DoD’s zero trust strategy and implementation roadmap are out. The military services submitted their zero trust implementation plans for review. Now, the Zero Trust Portfolio Management Office is going over those submissions before it has to brief Congress on the progress made in January 2024.

“Our plan is that we’ve assembled probably the equivalent of maybe 17 or 18 full-time equivalents (FTEs), probably about 25 people, if you count them all, to spend the next four to six weeks analyzing every one of those plans and measuring the success of those plans, and whether or not they’re giving us the information. We want to know how every single component is going to be hitting target level zero trust or higher by fiscal 2027 or earlier, and a layer on top of that is how are they going to achieve it,” Randy Resnick, the director of DoD’s Zero Trust Architecture Program Management Office, said at the Cyber Beacon Conference on Oct. 19.

Since the goal is to achieve target level zero trust readiness by 2027, Resnick wants the services to start buying solutions by the end of fiscal 2024.

DoD is helping the services to implement zero trust through the Defense Information Systems Agency’s Thunderdome initiative. DISA recently moved its zero trust pilot to production through a $1.9 billion contract with Booz Allen Hamilton.

Army is transforming software development and acquisition

Gabe Camarillo, undersecretary of the Army, said they are ready to release new policies in 2024 that will “fundamentally reshape the landscape” of acquisition and software development.

Service leaders are turning lessons learned from its 11 software pathway pilots into new development and acquisition policies that are supposed to standardize and accelerate the processes for managing and maintaining software.

“There’s a couple of things that we’re looking at in that space. One of which is making sure that we formalized and standardized the way that we do those requirements for software development programs. Obviously going more to a CI/CD approach and a more generalized description [of what we want]. Another approach is changing the way we do test and evaluation for our software programs. There’s a lot of contractor vendor testing that we can utilize, and we can train our tests and evaluation workforce to utilize that without having to recreate it,” Camarillo said at the recent AUSA conference.

The enterprise business systems convergence initiative was one of the first programs in the Army to apply the agile and DevSecOps approach. The Army’s CIO, Leo Garciga, who is involved in the software modernization efforts, recently signed a memo outlining standards for software containers.

DoD is addressing the persistent scarcity of cyber talent

Facing a cybersecurity talent shortage with almost a quarter of all cyber positions unfilled, the Defense Department hopes its new plan will reduce the cyber workforce vacancy rate by half in the next two years.

In March, the Pentagon finally released its cyber workforce strategy, followed by an implementation roadmap aimed at addressing the cyber workforce gap.

The current workforce includes about 225,000 cyber positions for civilians, military and contractor personnel, but 25% of those positions remain vacant.

Some broader goals of the implementation plan include establishing an enterprise-wide talent management program and creating a cultural shift, and military services are thinking outside the box in how they are hiring cyber talent.

In an interview, the Air Force told Federal News Network how the Air Force is applying the “Tom Brady effect”  to finding cyber workers.

The cyber decision cognitive assessment and readiness system (CYDE CARS) program the service was testing out offers a new approach of looking at personal traits versus professional skills. The hope here is not just to identify and hire better cyber workers. The Pentagon’s biggest challenge is its retention rate – and the program is supposed to bring in the talent that will stay with the DoD for a long time.

“Through this assessment, we really looked at five specific traits as they aligned to specific cyber work roles. They were focused under pressure, methodical thinking, attention to detail, decisions on ambiguity and perseverance. Those five traits, anybody would say, for any job, are beneficial. But for a specific cyber work role, it’s not whether or not you have the traits, it’s to what degree do you have each of those traits,” Air Force Lt. Col. Andrew Wonpat told Federal News Network in October.

“When we started to look at how do we find those people and I was talking to the people that are helping us do this and they used a term called the [former NFL quarterback] ‘Tom Brady effect.’ When you look at Tom Brady, by objective measures, he was not a phenomenal athlete. He was picked in the sixth round. If you look at his numbers, he is average or below average for very for most of the statistics. But if you look at Tom Brady, he is one of the most phenomenal athletes that has ever graced football. There are a lot more Tom Brady’s out there, how do we go find them so that we can be successful on the cyber side?” Wonpat added.

The Air Force has also brought in cyber professionals through the direct commissioning program. While highly competitive, the program allows the service to tap qualified enlisted members and civilians to fill vacant cyber jobs.

But the Defense Department is not the only one facing dire cyber talent shortages. The cybersecurity workforce has been in crisis for years, and the White House finally unveiled the national cyber workforce strategy earlier this year, taking direct aim at the problem.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories

    Senior Airman Peter Reft/Senior Airman Peter ReftAir Force

    Air Force’s program to pick new cyber officers is highly competitive; only few are selected

    Read more

    A new national cyber strategy, and ever-evolving threats, headline another busy year in cyber

    Read more