Intel agencies push shared IT services from concept to reality

Three years after the intelligence community’s leaders agreed that it was time for them to consolidate their IT systems into a shared infrastructure, the project has moved beyond PowerPoint slides and scattered pilot projects.

The Intelligence Community Information Technology Environment (ICITE) has services up and running now, with thousands of users consuming them, several of the IC’s top technology officials said Thursday.

Under ICITE’s shared services model, 9,000 users now have migrated to the common desktop environment that the National Geospatial Intelligence Agency and the Defense Intelligence Agency are building for the rest of the IC.

Setting the foundation

Multiple agencies already have begun moving their data into the commercial and government-operated cloud environments the CIA and the NSA built over the past two years. A central app store — available for use by any of the government’s 17 intelligence agencies — has 460 applications in its inventory so far.

“The foundation is in,” Al Tarasiuk, chief information officer for the Office of the Director of National Intelligence, told a Washington conference hosted by the Intelligence and National Security Alliance and AFCEA. “We’d envisioned a consolidated architecture and a shared mission platform. It’s now in place. It’s really about an adoption strategy, and that’s something that the agencies own now.”

The ICITE model gives the ODNI a lead role in governance, but the IT services are being provided in a decentralized model that gives the “Big Five” intelligence agencies most of the responsibility — and the funding — to build various network services.

For example, NGA and DIA’s common desktop environment has been in a pilot status since last year. Since then, the two agencies have deployed it to 9,000 workstations.

Most of the deployments so far have been within the boundaries of those two agencies, but they plan to award a phase-two contract within the next year that will begin to roll the desktop out to the rest of the IC at a rate of about 50,000 users per year until all 200,000 workstations are covered.

Proof in the NSA’s pudding

In the meantime, the National Security Agency agreed to be the testbed for the common desktop at a new facility near Denver. The NSA-managed complex, codenamed Mountainview, still is under construction. But once it’s up and running, it will be the first site in the world in which every user at every workstation will use ICITE from day one.

“We’re really excited about that, because it will give us an opportunity to prove to ourselves and to some critics that the IC can really accelerate intelligence integration,” said David White, NGA’s chief information officer.

The Mountainview site will be a true test case for ICITE not just because of the common desktop, but because operators there also will be using the shared cloud computing systems that the CIA and NSA have contributed to ICITE, said Lonny Anderson, the director of NSA’s technology directorate.

“Denver is literally our first chance to turn an entire facility into an ICITE location. Not the NSA’s first chance [but] the IC’s first chance. The desktops are coming from NGA and DIA, not from NSA, which is a huge cultural leap for our workforce,” he said. “The rest of the partners who are also at Denver will use our cloud services. We are moving forward with the implementation of ICITE. 2014 is the year of adoption. In 2015, we’ll actually pick up steam.”

From legacy system to cloud

ICITE’s cloud environment is made up of multiple clouds, at least for now. Collectively called the “IC Cloud,” it includes an NSA-developed-and-operated system known as GovCloud, plus a commercial cloud that the CIA hired Amazon to build within the intelligence community’s security boundaries.

Anderson said those two clouds are almost entirely interoperable. In general, applications that work in one should operate just fine in the other.

But as more and more IC users migrate their data from legacy systems into those two clouds environments over the next year, NSA and CIA will study whether there’s an ongoing need to operate both.

“We opened a joint storefront, because we don’t want the customers to have to think about where they need to go and what services they need to buy,” Anderson said. “All they need to tell us is what their requirements are, and the storefront will say, ‘Based on that, here’s where we’re going to move your data.’ We believe over time we’ll have the metrics to decide whether we really need two storage clouds and two utility clouds.”

Tag data, tag people

Anderson said the NSA’s cloud already is set up to accommodate ICITE’s main slogan: “Tag the data, tag the people.” Each piece of information that makes its way into the GovCloud also is accompanied by metadata that identifies where it came from, what kind of data it is and which security credentials are necessary to access it.

That’s easy enough for NSA’s own data, because the GovCloud is a carbon copy of a system NSA built for its own purposes a few years ago.

The agency is now working through how exactly to ingest, tag, segregate and manage access to data from other IC agencies who operate within different legal authorities.

For example, while the CIA isn’t allowed to collect any data on U.S. citizens, the FBI does so routinely. Other legacy databases across the intelligence community are set up so that there are boundaries to individual systems, not the data which resides in those systems.

“The caveats for how we ingest that data in the cloud, what it’s allowed to intermingle with, who can see it and who can control it, how long we keep it before we purge it is still something that’s pretty interesting,” Anderson said. “When another agency comes to us, our developers need to sit with that person, and we talk through what changes we need to make to the data ingest process in accordance with legal, policy, oversight and compliance rules. But eventually, we’ll come up with a library that’s pretty straightforward.”

License agreements in the pipeline

Among other ICITE services that are now running is a new security coordination center, managed by the ODNI. Its job is to provide counterintelligence services and insider threat information to the IC’s network managers.

The IC also has started coordinating its software licenses. Tarasiuk said the intelligence community wants to negotiate unlimited user licenses for its most commonly-used applications. It’s had just one success so far: an enterprise license agreement with ESRI, a major geospatial information firm. But nine more such agreements are in the pipeline, he said.

Tarasiuk said the original impetus behind ICITE was to economize on technology spending — IT consumed 25 percent of the intelligence community’s overall budget when the IC first settled on the consolidation strategy two years ago.

But the project so far has convinced most of the IC’s leaders that a more common IT enterprise also stands a good chance of letting each of the 17 agencies do their jobs more effectively and produce better intelligence.

“It’s very exciting to see not just the IT folks coming together and working through the technical issues, but the mission users met last night, and [there] was a lot of excitement in the room,” Tarasiuk said. “They’re working together to figure out how to rationalize some of these applications, what data sets we need to prioritize. There’s a lot of collaboration that’s going on within the intelligence community as a result of this little boring infrastructure project we call ICITE.”

RELATED STORIES:

Intel agencies ready to start deploying shared IT systems

Pentagon looks to build a bridge between military, intelligence IT consolidation efforts

DISA’s commercial cloud strategy remains a work in progress

Comments