After years of work inventorying its legacy business information technology systems and building more modern ones to replace them, the Army says it has an aggressive plan in place to cut its number of business IT systems in half, from about 800 to about 400.

One reason that’s an aggressive target is that the Defense Department does not have an especially good track record when it comes to reducing its overall inventory of legacy systems. In its most recent report to Congress on the matter, DoD reported the total number of systems had been static in recent years because older systems that had previously slipped under the radar were being “discovered” at about the same rate that other ones were being shut down. Across the entire department, there are about 1,200 systems with five-year costs of $1 million or more.

“The reason it’s taking a while is first you have to actually see what you have,” Lt. Gen Edward Cardon, the Army’s director of business transformation, told a recent breakfast hosted by the Association of the U.S. Army. “And business IT is only one of four mission areas that use information technology. Altogether, there are thousands of these systems, and it makes it very, very difficult to see the Army.”

At least in the case of business systems, the Army’s plan to reduce the number to 400 is based on an analysis the service hired Gartner to perform based on that firm’s “Tolerate, Invest, Migrate, Eliminate” model. It categorizes systems based on their value and technical integrity so that those that have, for example, both low business value and low technical capabilities are targeted for outright elimination; meanwhile, systems that are operationally critical but technically lacking are candidates for migration to new platforms.

(more…)

The Army appears to have concluded that a chronic lack of funds for military base upkeep is not a problem that’s going to go away anytime soon. Instead of merely keeping their fingers crossed for an influx of new money, officials are in the midst of rethinking everything from how they plan and budget for facility sustainment, to which services truly need to be offered on each post, camp and station.

“We have been on a failed funding and resource strategy with our installations and facilities,” said Randall Robinson, the acting assistant secretary of the Army for installations, energy and environment. “Over the last 10 years, when money’s been available, we’ve used it for Band-Aid fixes to critical installation needs. That strategy has been corrosive.”

The Army is not alone. Each of the services has made its military bases a bill-payer for several consecutive years in order to fund more pressing readiness concerns like ensuring brigades meet their scheduled training rotations. The Pentagon’s 2017 budget proposal, even if passed as-is, would fund just 74 percent of the military’s base maintenance needs for the year.

In the Army’s case, several consecutive years of fixing things only when they’re broken has created a $10.8 billion maintenance backlog, and 22 percent of the service’s facilities are in poor or failing condition.

(more…)

The chiefs of the Army, Navy, Air Force and Marine Corps are all taking time from their day jobs this week to testify about why it’s important that Congress actually pass a budget for 2017, now that five months of the fiscal year have elapsed.

They’ll be speaking to a sympathetic audience: the House Armed Services Committee, and via brief information sheets they sent to Capitol Hill in advance of the hearing, each of the military services have already provided a few salient details about what would happen under a full-year continuing resolution. The funding contingencies they describe are somewhat similar to the measures the military took in March of 2013, when sequestration suddenly left the Defense Department and other agencies with billions of dollars less than they were planning on, midway through a fiscal year.

The Navy, for example, would cut back flight hours across all of its aviation operations. Four of the nine carrier air wings that aren’t already deployed would be shut down entirely, and about a third of the Navy’s newest pilots wouldn’t be able to finish their initial training. That would leave squadrons undermanned by 20-to-30 percent by the end of the year, causing shortages that the Navy said would have ripple effects for the next several years.

The Marine Corps, likewise, would cancel flight operations for 24 squadrons, “significantly worsening” the already large aviation readiness problem it’s faced since the last time it grounded planes during sequestration, officials said.

(more…)

The media and Congress are quick to point out instances in which Pentagon procurement has gone drastically awry, and rightly so, since it’s public money at stake. But it’s also worth pointing out glimmers of progress when we see them.

In its annual assessment of the Defense Department’s major weapons systems, the Government Accountability Office calculated last week that over the past year, DoD has seen a $10.7 billion increase in its “buying power” — GAO’s term for the amount of goods or services the department is able to buy with a given amount of money, even after adjusting for increases or decreases in the number of items within a certain procurement line.

In fact, there are several data points in GAO’s analysis of DoD’s 2016 weapons portfolio that seem to undercut the narrative that weapons costs are out of control, a picture painted as recently as last week by Sen. John McCain (R-Ariz.), the chairman of the Senate Armed Services Committee, who claimed that the Pentagon has “done nothing but resist” Congress’ efforts to control cost growth.

As we reported in some detail last month, DoD’s own analyses show that cost growth is now at its lowest level since 1985 (3.5 percent as of 2015), and it’s been steadily declining since right around the time the department introduced a series of internal reform initiatives known as Better Buying Power.

(more…)

Last week, the Pentagon met the letter of the law by turning in a report to Congress on how it plans to implement one of its largest organizational changes in decades: the bifurcation of the current office of the undersecretary of Defense for acquisition, technology  and logistics (AT&L) and the creation of a new chief management officer.

But the report — a two-page memo from Deputy Defense Secretary Robert Work — offers scant detail about where the department is headed with the reorganization. That’s perhaps understandable, since Congress handed DoD the task of restructuring itself during a presidential transition and when virtually all of its Senate-confirmed leadership posts are empty.

Still, there are a few interesting tidbits in the interim report, a final version of which is due to the Hill by Aug. 1. For instance, DoD says it may ask Congress to elevate the new chief management officer role to a higher-ranking position: an undersecretary for management. Congress actually did that in the 2016 Defense authorization bill, but then repealed the change with the 2017 bill, when House-Senate negotiators settled on the position of CMO instead.

“The department is looking carefully at the organizational responsibilities and structures associated with this senior management official position,” Work wrote in the March 1 memo. “Our goal is to create a position that will attract the best qualified candidate who possesses the requisite business acumen to optimize the business operations of the department and to give that person the requisite authority to improve the performance of the business operations of the department. The focus would address responsibilities for both department-wide business processes and more focused responsibilities for processes within office of the secretary of Defense and defense/field agencies.”

(more…)

The Defense Science Board’s latest study on the state of cyber defense in the U.S. reaches some worrying conclusions, both for civil infrastructure and for military capability. The panel assesses that even after foreign intrusions into election systems, financial institutions and Defense contractors, the U.S. has only seen the “virtual tip of the cyber attack iceberg.”

On the civilian side, the new report warns that for at least the next five-to-10 years, other nations will have offensive cyber capabilities that “far exceed the United States’ ability to defend and adequately strengthen the resilience of its critical infrastructures.”

To make matters worse, the traditional weapons systems the military relies on to deter countries from actually launching those attacks are themselves vulnerable to cyber attack, undermining a deterrence policy one Defense official articulated six years ago: “If you shut down our power grid, maybe we’ll put a missile down one of your smokestacks.”

Consequently, the advisory panel says the Pentagon needs to devote “urgent and sustained attention” to making its strike systems immune from cyber attack and make it clear to adversaries that it’s done that. Otherwise, its threats vis-a-vis missiles and smokestacks will rightly be seen as —well, blowing smoke.

(more…)

Almost exactly four years after the Defense and Veterans Affairs departments decided to go their separate ways in their projects to modernize their electronic health records, DoD’s brand-new EHR is now up and running, at least at one base.

At a Wednesday ceremony at Fairchild Air Force Base near Spokane, Washington, the department will officially announce that the system is now live in the on-base medical and dental clinics operated by the 92^nd Medical Group, replacing DoD’s aging legacy systems, including AHLTA and CHCS (your correspondent will be on-site to speak with DoD health officials; stay tuned for updates).

Fairchild is the first site to receive the new health record, called MHS Genesis; three other Pacific Northwest military hospitals that have also been picked as initial deployment sites will see a rollout between May and July, based on a revised schedule the Pentagon announced last October.

“This morning, MHS Genesis became the single electronic health record (EHR) to document and manage care at Fairchild Air Force Base (AFB)! We achieved Go-Live!!” Stacy Cummings, DoD’s program executive officer for health care management systems, wrote in a memo to her staff last week. “This is an exciting milestone for our team. We worked hard to get to our first IOC site, and I can report first hand from the command center that everything is going as expected. Providers at Fairchild are treating patients while the government and contractor team are quickly implementing fixes to issues as they are identified.”

(more…)

When it comes to defending the country from cyber attacks, Defense officials have made abundantly clear that they plan to leverage the military’s National Guard and reserve components as much as possible, including, most recently, by tasking the Army Guard and Reserve to build 21 cyber teams on top of the 133 U.S. Cyber Command had planned as part of its Cyber Mission Force.

But those cyber protection teams make up only a slice of the cyber capabilities scattered across 54 states and territories that could theoretically be called upon as first responders in the event a major cyber incident happened somewhere on U.S. soil. The trouble is, DoD has no central database that tracks exactly what those capabilities are, and there are no immediate plans to build one.

That would change under legislation that’s just been introduced by four senators who argue the lack of such a database is a major gap in the department’s readiness to support civil authorities, especially considering the breadth and depth of cyber expertise already resident in the Guard and reserve, where many service members are IT and cyber professionals in their civilian careers.

(more…)

Retired Marine Gen. James Mattis is in his fourth full day on the job after the Senate moved quickly on Friday to confirm him as the

new secretary of Defense just hours after President Donald Trump took the oath of office and formally nominated him to the post. But thus far, he’s the only member of the incoming administration’s Defense team to be nominated, yet alone undergo a confirmation hearing.

So for the time being, the remainder of DoD’s senior leadership positions will be filled by caretakers who served in the Obama administration.

Robert Work — who was technically the acting secretary of defense for a few hours Friday before Mattis was confirmed 98-1 — will stay on in his post as deputy secretary until his replacement is nominated and confirmed, at Trump’s request. (Humorous side note: Work, a retired Marine colonel, joked during his retirement ceremony that the real reason was an ancient conspiracy by the Marine Corps to ensure the posts of secretary, deputy secretary and Joint Chiefs chairman were all held by Marines at the same time).

But the President accepted the resignations of the secretaries of each of the military services, along with many of their assistant secretaries and undersecretaries effective Jan. 20, and secretariats of the Army, Navy and Air Force will be temporarily led by lower-level officials who received Senate confirmation in the last administration.

(more…)

In November, when Army officials decided to launch the service’s first-ever bug bounty, one of the key questions they wanted to answer was whether sensitive personnel records were vulnerable to theft by hackers via the Army’s public-facing websites. As it turns out, the answer was yes.

The Army and HackerOne, its contractor for the bug bounty, announced the final results from the Hack the Army challenge late last week: In all, 371 “white hat” hackers participated in the one-month exercise and uncovered a total of 118 separate security holes in websites operated by Army Human Resources Command.

But among the most serious was one in which a security researcher discovered a pair of security problems that let him hop directly from the Army’s main recruiting website, GoArmy.com, to an internal DoD network that’s not supposed to be accessible to the public without triggering any warnings to the Army’s cyber defenders.

According to HackerOne, the serious security problem was a combination of a misconfigured proxy server in the public-facing web portal and a separate flaw in a system that controls access to the Army’s internal network.

“It allowed researchers to chain a couple vulnerabilities together to get access to internal systems that shouldn’t have been exposed to the public internet,” Alex Rice, the company’s chief technology officer and co-founder said in an interview. “That’s exactly the type of finding that shows the value of having human intelligence applied to this problem. When you have multiple vulnerabilities that would have to be combined in a creative manner in order for someone to exploit them, that’s the kind of thing that automated tools and traditional scanning technologies just completely miss. It takes human ingenuity to make these leaps of logic.”

(more…)