The Navy is notifying the managers in charge of dozens of the service’s IT systems that it’s time to consolidate their applications into a relative handful of data centers, and failing to get their systems certified under DoD cybersecurity standards is not an excuse for delay.
In a message distributed throughout the fleet on Dec. 22, the Navy named nearly 60 separate systems that are at risk of failing to meet DoD cybersecurity rules during a migration to centralized data centers. Some of them have authority to operate (ATO) certifications that are due to expire within the next fiscal year; others are operating under accreditations that have already expired.
The applications range from data systems managing personal information on enlisted sailors to electronic textbooks to heating and ventilation systems. Each of them had already been picked as targets for data center consolidation during an October meeting of admirals who oversee the service’s data center consolidation and application optimization plan for 2016.
Almost all of applications are scheduled to move into three central Navy hosting facilities in New Orleans, Charleston, South Carolina, San Diego, or into DoD data centers managed by the Defense Information Systems Agency; and they will need to ensure they meet Defense cybersecurity standards as part of the transition, said Vice Adm. Ted Branch, the Navy’s chief for information dominance.
“Transition delays past September 30, 2016 are not authorized. Systems to be migrated are not relieved of requirements to perform regular system maintenance, monitoring, security scans and patching,” Branch wrote in the message.
The policy leaves some wiggle room for mission-critical applications: In the case of systems that won’t have an ATO in place by the time they migrate to the new data centers, their managers will need to work with both the Navy’s Fleet Cyber Command and senior officials in their own command chains to get an interim authorization to keep their systems running, while acknowledging those systems are at “high risk.”
Like the rest of the military services, the Navy’s data center consolidation effort has been focused on inventorying the number of applications and server facilities that have been operated by its local commands and merging those into a smaller number of government-run facilities in order to achieve economies of scale and, to the maximum extent possible, eliminate the expense of dozens of underutilized server rooms on each military base.
The next step is to make sure the Navy only operates its own data facilities where there’s a verifiable need for the government to own and operate its own data infrastructure, and to outsource most of the rest to vendors who have met DoD’s security standards.
“We want 75 percent of our data centers to be commercial, and we want to use our Next Generation Enterprise Network contract to get there,” Janice Haith, the Navy’s chief information officer said during a recent panel hosted by AFCEA DC. “We’re also looking at how we’re going to do application hosting for commercial cloud services. Right now we do all of that through our main vendor, Hewlett-Packard, but we’re changing that to a cloud access point. There are 23 vendors who could possibly host those capabilities for us but also potentially for the rest of DoD. We have the lowest price point right now because of our existing NGEN contract.”