The Defense Department on Thursday rolled out a new outline of its IT modernization priorities, calling it a “living document” whose goals include better cooperation with industry and stronger oversight over the disaggregated $36 billion DoD spends on information technology each year.
To a large extent, the document, titled The DoD Information Environment Way Forward, is a restatement of several major initiatives department leaders have already described in numerous public forums for the last several years, including implementation of the Joint Information Environment, consolidation of data centers, a revamping of identity management and migrating to cloud computing environments.
But Terry Halvorsen, the DoD chief information officer, said it was important to put eight overarching IT goals down on paper, because from here on out, the department wants its foreign military counterparts and the IT industry itself to help shape future versions.
“We’ve always talked with industry, but we’re trying to ask how you actually partner with industry, and some of this is going to push some boundaries,” he said on a conference call with reporters. “We need to change the art of the conversation. We always publish our requirements with very detailed technical specifications. I don’t think that’s the answer anymore. What we need to talk about is the capabilities we need: For example, I need to stand up an ad-hoc communications network with our allies at a moment’s notice, and let industry tell me all the different ways that can be done. They need to be engaged from the beginning. They will bring data that will help us do market elimination and what’s the best of breed.”
The first edition of the “Way Forward” does include some concrete objectives along with dates by which DoD plans to achieve them. For instance, the department says it will stand up an on-premises shared cloud environment by the fourth quarter of 2017. The Defense Information Systems Agency’s current MilCloud solicitation will be part of that environment, Halvorsen said, but will only be one piece of it.
“We won’t know this for sure until we’ve teed-up several requests for proposals and gotten the responses, but the vision I have is that it would probably be a third-party managed cloud that would provide us a set of enterprise services including email, record storage, video, chat, file share, collaboration space and dev-ops on smaller projects on how to think about new ways to think about delivering information and data. There is no single cloud answer for DoD, and there is no single cloud definition for DoD: If you use the best definition for cloud, which I think is distributed computing, we’re going to use the best one for each of our mission requirements.”
Also, by the first quarter of 2017, the department will assemble a high-level team made up of DoD CIO personnel and experts from the military services to conduct site visits at the department’s 25 most expensive data centers. The team is consulting with the IT industry to draw up a list of criteria it will use in examining those centers to determine whether they could be made more efficient or should be closed altogether.
“There are some data centers that are very sophisticated but are also underperformers from an efficiency perspective,” said Randy Conway, the deputy DoD CIO for enterprise services. “They need a jolt, and we’re going to be an impetus to get that moving. But this is not the only initiative to close data centers.”
But Halvorsen said a recent streamlining of authorities makes it much easier for his office to order the shuttering of facilities it’s deemed to be excess .
“Randy’s team and the military services developed agreed-upon cost metrics so that we can compare apples-to-apples, and I’m going to make a decision based on their recommendations and take it up my chain, which is now the vice chairman of the Joint Chiefs of Staff, the chairman, the deputy secretary of Defense, and they’ll say go-or-no-go. We’ve shortened the chain.”
With respect to identity and access management, Halvorsen has already made clear that he wants to mostly eliminate the role of DoD’s Common Access Card in authenticating users on Defense systems within the next two years, but says his office is nearing some preliminary decisions on what will replace the CaC.
“The answer could be slightly different six months from now, but today, I think it’s going to be a combination of biometrics, personal behavior and your behavior on the network. One thing that’s very hard to mimic is how you actually interact with your machine — how often you search files to how much time you spend in certain databases,” he said. “That’s all stuff we can track, and should track, and we can do that without having to store and share sensitive personal data.”
Halvorsen says that approach to identity management would be helpful in sharing information across the networks of trusted allies, but also in ad-hoc situations where a one-time network is needed to connect various government agencies and non-governmental organizations in, for example, a disaster response scenario.
“And even if you’re only connecting with allied partners, you’ve still got to know it’s the right people on the network,” he said. “If you have these agreed-upon standards, you can do that much faster and get networks up and running. You can’t do that with a CAC card. Physically, you can’t issue them fast enough, and you have to go through a vetting process. The other trick is that I don’t think it’ll be a constant set of personal data. I think it’ll be various types of data that we have on file about a user’s behavior and we’ll rotate that. So even if someone manages to break into one of our systems, they don’t know which key fits in which lock.”
The department’s new IT guidance continues to emphasize the importance of implementing the network consolidation and security improvements DoD has been working on under the auspices of the Joint Information Environment — that’s goal number one, in fact.
But to achieve everything DoD has been trying to accomplish under JIE, the plan also highlights the need for stronger governance from both the DoD CIO’s office and the military component CIOs, saying the military’s networks are “unnecessarily complex” because of their lineages in service-specific networks and the budget lines that paid for them.
Halvorsen said the department is working to make the funding behind all of its networks less opaque.
“We are working hard on improving the transparency of all our financial systems,” he said. “Two years ago, if you asked me how much I was spending on data centers, I could have flippantly answered that I wasn’t spending anything. Because there was no funding code for that. There is now, and we’re getting more discrete about how we can see our own spend on hardware and software: sharing that is the next key step we need to take. We want to present this to Congress in ways that make sense, and in a lot of cases we’ve been guilty of not doing that. We don’t need additional authorities. We have them now, and in most cases it’s been a matter of failed execution.”