For the better part of a decade, the Pentagon’s IT leadership has struggled with how to persuade the military services and Defense agencies to consolidate their email and office tools into something that resembled a single, unified enterprise. It took a global pandemic to make it happen, but the Defense Department now appears to have achieved that goal.
There’s little question that the biggest catalyst for change was a project called Commercial Virtual Remote (CVR), the implementation of Microsoft Teams that DoD launched in March 2020 as an emergency measure to let millions of employees do their jobs from home. The wildly-successful service finally went dark on June 15, after having been extended several times.
At its peak, CVR, hosted in a commercial cloud, handled online meetings and collaboration services for 2.3 million users throughout the department. It’s the first real example of the entire Defense Department converging around a single enterprise IT solution — and it likely would not have happened except for the time crunch the pandemic imposed.
Insight by Micro Focus Government Solutions: Learn from agency and industry executives as they explore why protecting data requires a comprehensive approach involving every part of the IT chain – people, policy, infrastructure and applications in this exclusive executive briefing.
“There was a feeling that we can only do this once, instead of each one of us trying to figure out how to do it for ourselves,” Danielle Metz, DoD’s deputy CIO for information enterprise said in an interview for Federal News Network’s On DoD. “Typically, when we have the luxury of time, that’s our default. But the experience of CVR has shown that working together as an enterprise really does work.”
And that lesson in behaving like an enterprise wasn’t purely an academic one. Once a widespread user base adopted and grew to like CVR, it became apparent to IT leaders throughout the department that the demand for cloud-based collaboration wasn’t going to subside. So Defense components dramatically accelerated their plans to migrate users to more permanent cloud offerings that offer the full suite of Microsoft 365 tools.
Metz said 80% of the department’s workforce had already made the transition by the time of the June 15 CVR shutdown. And some DoD components are ahead of others. The Air Force, for example, was ready to enable its version — Cloud Hosted Enterprise Services (CHES) — right away, for its entire workforce. The Navy, meanwhile, was only prepared to onboard a smaller subset of existing CVR users to its version — Operation Flank Speed — and plans to transition the rest of its workforce throughout the remainder of this calendar year.
The long-term replacements differ from their predecessor in several important respects. For instance, CVR was only authorized for the lowest levels of unclassified data: what DoD’s cloud security requirements guide classifies as “Impact Level 2.” Its successors will be authorized up to Impact Level 5, DoD’s designation for the most sensitive types of unclassified data.
“CVR was a standalone capability — it was just Microsoft Teams, and it had limitations, by design, because it fit a very specific need,” Metz said. “The 365 cloud environment covers the totality of our controlled unclassified information, and it integrates all of the Office suite productivity — Teams, Outlook, all the Microsoft applications. And it will have the additional security that we didn’t have in CVR, just because it was an extraordinary circumstance.”
Another major difference: The full-fledged cloud productivity suites Defense employees will use from now on aren’t strictly an enterprise service in the same way CVR was; they’ll operate in a federated model, with each military department running their own Office 365 “tenants,” and the Defense Information Systems Agency running a separate tenant to serve employees at various DoD agencies.
But Metz said the federated environment should still operate more-or-less like a unified enterprise. The department intends to build on lessons it learned from securing CVR, when it used a single cybersecurity services provider — the Army’s C5ISR Center — to secure the commercial cloud platform. And the various cloud tenants will be tied together by a central identity service the DoD CIO’s office constructed prior to the pandemic.
“That’s really how we’re able to stitch together all the tenants to create that interoperability. That’s what we enjoyed in CVR, and now it’s what we’re trying to replicate with this federated approach,” she said.
At least for the time being, the department will give up some of the economy-of-scale pricing advantage it might have achieved by negotiating a single agreement for CVR directly with Microsoft.
But Metz said DoD’s components will still use a relatively small number of consolidated contract vehicles to purchase their Microsoft licenses. The department is strongly encouraging them to buy the services through the $7.6 billion Defense Enterprise Office Solutions (DEOS) contract DoD and the General Services Administration awarded to Leidos in 2019. The Navy, for now, will continue to use an enterprise license agreement it negotiated separately.
Ultimately, the department also wants to reduce the total number of Microsoft 365 tenants it will have to stitch together in the new federated environment. As of now, there are 13.
“We really have to work hard to manufacture the ability to have seamless interoperability and collaboration. That was easier [in CVR],” Metz said. “I think over time, we’ll be able to optimize to a more reasonable number. But there is a commitment from the military services and DISA, realizing that now that we’re in the cloud, this is shared space. Even though you have your own individual tenants, a risk to one is a risk to all.”
Another key legacy of CVR is a restructuring of the Defense Department’s connectivity to the public internet.
When the pandemic started, DoD’s networks were architected with the assumption that almost all of its employees would be working inside of government buildings with direct connections to government networks.
For that reason, in the early days, CVR — hosted in a cloud outside the DoD Information Network (DoDIN) — was easy for employees to access if they were working from home. But users who were still on government networks had nowhere near the bandwidth they needed to bridge the divide between themselves and their work-from-home colleagues, so the Defense Information Systems Agency had to quickly upgrade the circuits that connect the DoDIN to the public internet.
Those pandemic-related capacity upgrades will play an ongoing role in the new federated environment, Metz said.
“Many DoD leaders are looking at how we’re going to bring people back to work. If we’re going to have a hybrid model, [we’ll need] robust networks and bandwidth, government-furnished equipment, the ability to do the full complement of our work regardless of where you are,” she said. “That affords DoD leadership the ability to be able to make those types of decisions, because we have the footprint now. It should not matter where your workforce is located, they will be able to execute their mission safely and securely.”