Terry Halvorsen, who has been the Defense Department’s chief information officer since the summer of 2014, said Wednesday that he will retire from government service on Feb. 28, but that the department’s current IT policies and priorities are unlikely to undergo significant changes during the transition to a new administration.
The remainder of the top leaders within the DoD CIO’s office, including Dr. John Zangardi, the department’s new principal deputy CIO who’s likely to lead the office in an acting capacity for at least the short term, will stay in their posts.
Halvorsen said he’s proud of the progress DoD has made on a wide range of IT initiatives the department pursued under his watch — most of which were detailed in a “way forward” document the Pentagon issued in August — with one possible exception: data center consolidation.
“It’s the one area where I’d give myself the lowest marks. Not the team, but me, because ultimately it’s my responsibility,” he said. “We did not get as many closed as I would like to get closed.”
Insight by Carahsoft: Learn how the FedRAMP PMO and its partners believe the end result of many of ongoing initiatives is a better, faster and cheaper cloud security program by downloading this exclusive ebook.
Among other indications of difficulty on the data center front, the Defense Department failed to meet the Office of Management and Budget’s 2010 goal to shutter 40 percent of DoD data centers by the end of fiscal year 2015. It managed just 18 percent, according to an assessment last year by the Pentagon inspector general.
In light of that track record, Army Secretary Eric Fanning issued directions to senior commanders in a memo last month, giving explicit facility-by-facility orders on which ones must be shut down. The directive, first reported by Federal News Radio, aims for the closure of 60 percent of the Army’s data centers by the end of 2018, partly by consolidating hundreds of stateside installation-specific computing facilities into just four Army Enterprise Data Centers.
Halvorsen said he fully endorses the Army’s approach as one way to accelerate the closure process.
“They’re looking at industry best practices that focus on cost and mission, and I have hope that what they’re doing will speed the process up,” he said. “From a DoD level, we’re looking at [consolidation in] places like Charleston, where there are data centers that are owned by almost every military service and DoD organization and it makes sense to use a shared facility. Our team has just come back with a good plan for how to do that, and they’re going to San Antonio next. But anytime you can get the senior leadership of the military services involved, it’s a really good thing. Secretary Fanning really understands this, and I think his memo will accelerate the Army’s plan.”
In other areas, Halvorsen said DoD has made major progress toward transforming its IT operations, progress that he said was not always recognized by the audit and oversight organizations that monitor such matters.
He said the Pentagon’s implementation of the Joint Information Environment, the department’s ongoing initiative to harmonize, consolidate and better secure the military services and agencies’ IT footprints, is still misunderstood in some quarters, and pushed back against a recent assessment by the department’s director for operational test and evaluation (DOT&E) that concluded that DoD had “not conducted rigorous and comprehensive operational testing of any of the programs associated with JIE.”
“You can’t test JIE, because JIE is a concept,” Halvorsen said. “It says, ‘What are the things I can put together to get to a better information environment?’ It never ends, and I think all of the military services are in agreement that the environment we have today is better than the one we had yesterday.”
DOT&E reserved some of its most pointed criticisms for DoD’s Joint Regional Security Stacks, the one major element of the JIE concept that is also a program of record. The report said JRSS’ capabilities were still immature, don’t have a stable configuration across the sites where DoD plans to employ the stacks, and the personnel who’ve been assigned to work within them aren’t adequately trained.
Halvorsen said his office has a detailed plan to test JRSS as DoD continues the rollout, but the two organizations have ongoing disagreements about how much testing is adequate.
“I think there is still some belief that we have to live by the historical way to field systems. I don’t think that works anymore,” he said. “When you’re buying off-the-shelf technology, I don’t think you need to spend anywhere near as much time as when you’re manufacturing something that only DoD is using. The biggest improvement we’re going to get from JRSS is when we get everybody trained the right way to operate it. That will be an ongoing problem for DoD, because we do have changeover in an all-volunteer force. We cannot take our eye off of that ball, and I think we are all committed to doing this.”
Halvorsen said the department continues to make progress toward replacing DoD’s Common Access Card with successor identity management technologies. In a project the Defense Innovation Unit-Experimental is helping to coordinate, the department began a handful of pilot programs within recent weeks. The ultimate objective is to employ at least 10 different identity factors rather than a single smart card and PIN to verify a user’s identity before he or she is allowed access to Defense networks.
He declined to identify the specific technologies DoD is evaluating, saying that doing so could give an advantage to cyber adversaries, but said they would likely involve some mix of biometrics and user behavior in order to assure that a user logging into a computer terminal or mobile device is who they claim to be.
“And we have to figure out a way to do this with least impact on the users,” he said. “We want to do this in a way that makes sense, and the technologies are getting better all the time to do things like scanning your retina, non-obtrusively, while you’re looking at your computer screen in the morning. We also want to randomize these ten different security factors so that I’m only using five of them at a time. We’re trying to make it so that it doesn’t require anything special on the user’s part: it’ll be their behavior, their biometrics, and some knowledge-based measures we would put in as part of their normal sign-in process.”
Even as he departs, Halvorsen predicted that there will be a high degree of continuity between the IT priorities he and the military service CIOs have pushed over the last several years and those that DoD will continue to pursue during the next administration, since the DoD CIO’s office is led by career civil servants.
“Everybody else is staying, and if they chose to leave it would be part of the normal civil service retirement process,” he said. “Strategically, I think you will see everything that we’re doing continue. Our dialogue with the transition team seems to indicate that the new administration thinks we’re on the right track, and the emphasis on mission effectiveness, getting more agile and relying more and more on commercial capabilities will continue.”