The new laws, meant to give the Pentagon more authority to enforce common IT standards throughout the military services, are coming into play already, officials told the Senate Armed Services Committee last week.
After nearly a decade in which DoD has used more carrots than sticks to push IT consolidation, they suggested that the department will take a much more directive approach over the coming year.
“You have a set of leaders that are very impatient, including myself, that are done admiring the problem and are moving on to tasking,” DoD CIO Dana Deasy said. “This includes being less tolerant with people being able to go off and use their own solutions. The authorities that you all gave me starting this year around being able to set architectural standards are quite significant, and we are now starting to use those new authorities.”
Defense officials offered few specifics about the types of changes they intend to direct, but much of the way forward will be laid out by a cross functional team led by Brig. Gen. Dennis Crall, the principal deputy cyber adviser to the secretary of Defense.
Crall said the department spent most of the last year setting the stage for the reforms it plans to implement, including by publishing a new cyber strategy. This year, he said, will be all about starting to deliver meaningful results.
“So while it’s a good year for implementation, I would say it may not be a good year for some other things,” he said. “The first is stovepiped solutions. It’s a bad year for those who like to approach this in a way that we have endless niche capabilities and do business their own way: lack of standards, individual development, and difficulty in integrating. We’re putting an end to that practice, which has really robbed us of success. It’s also a bad year for those who don’t like measures of effectiveness or discussions on data-driven return on investments. We owe an accountability for how we’ve spent our money and also a level of accountability on what capabilities we’ve achieved in the expenditure of that money and effort.”
The sentiments Deasy and Crall expressed appeared to be in tune with the frustrations Congress laid out when it passed the 2018 National Defense Authorization Act, which contained the new authorities.
Specifically, the legislation gives the CIO the authority to set departmentwide IT and cyber standards, plus the mandate to conduct annual reviews of the military services’ budgets to ensure they’re setting aside enough funds to implement a common cyber approach.
“Countless efforts across the Department of Defense are plagued by poorly enforced standards and a CIO position whose policy and guidance are largely considered as advisory by the services,” the Senate Armed Services Committee wrote in a report accompanying the legislation. “As a result, each service continues to pursue disparate information technology and business systems efforts.”
That same year, lawmakers vented frustration that the cyber advisor position now held by Crall has historically been a weak player in the Pentagon’s overall power structure.
“The office of the [principal cyber adviser] has been chronically under-resourced since its establishment, and (members) are concerned about the impact of under-resourcing on the PCA’s ability to effectively execute its assigned roles and responsibilities,” they wrote in the final NDAA’s explanatory statement. “The conferees believe that the PCA should be robustly manned and resourced.”
But Crall suggested the tide had turned since that language was written. He said the cross-functional team Congress ordered to staff the office has proven effective over the past year.
“Congress got that right. The cross functional team works, and it has several advantages,” he said. “It’s only as good as it’s paid attention to, but the cross functional team that’s involved under the PCA is well-resourced in the sense that we’ve got the right people. The participating agencies that provide representation of the workforce sent us their best. We got good people. The second piece is we can approach problems in ways that don’t have some of the biases. We don’t have any stake in the legacy systems that we hold onto, it really is about the mission. So we normally come to the table with an advantage in solving some of those problems. It’s been instrumental in moving the strategy into implementation.”
DoD first started drawing up plans to collapse its legacy networks and IT services in 2010 under an initiative known as the Joint Information Environment, and began taking serious steps toward implementation — with an emphasis on shared cyber infrastructure, enterprise services and cloud computing — in 2012.
However, the Pentagon has struggled to herd the large number of cats involved in implementing the vision, and to define the project’s cost and scope, according to the Government Accountability Office. And in recent years, the “JIE” moniker has begun to fall out of favor: It was not uttered a single time during last week’s 90-minute hearing on cyber standards.
In its annual report last week, the office of the Director of Operational Test and Evaluation did offer a short description of JIE’s status, but said that DoD’s Joint Regional Security Stacks — one of its key foundations — is performing poorly, and “calls into question the current JIE cybersecurity approach.”