The annual Defense Information Systems Agency’s forecast to industry typically is a must attend event, and one other agencies would be smart to replicate.
DISA brings together in one place nearly every senior executive running programs and offices to tell industry what to expect over the next year or more.
Insight by Carahsoft: Learn how the FedRAMP PMO and its partners believe the end result of many of ongoing initiatives is a better, faster and cheaper cloud security program by downloading this exclusive ebook.
This year’s event, at Martin’s West in Baltimore—yes, the place where you probably had your senior prom if you grew up in Maryland—was well attended by more than 1,000 contractors and didn’t have the parking problems like the 2018 event.
While the overall content was a bit lackluster as it felt like the format focused more on getting through the presentations than providing the expected depth and breadth, it was clear DISA has a lot on its plate.
Here are my three takeaways from the forecast to industry day:
Despite some challenges and potential hesitations, the Defense Department services and agencies are moving to DISA’s internal cloud offering.
MilCloud 2.0 is growing each month as the military services and agencies aren’t waiting for those four-letter cloud efforts to be ready. While the Joint Enterprise Defense Infrastructure (JEDI) or Defense Enterprise Office Solutions (DEOS) programs are mired in protests, DISA, the Army Materiel Command and the Defense Contract Management Agency are among those DoD components to have moved applications to the MilCloud 2.0
Army Maj. Gen. Garrett Yee, DISA’s senior procurement executive, said Army Materiel Command just committed to moving more than 100 applications to the cloud instance, while DCMA migrated 29 applications in less than 90 days.
DISA also moved 28 of its own apps to MilCloud 2.0 earlier this year.
“It will continue to be viable capability for mission partners now and into the future. The department recognizes that we will continue to be in a multi-cloud environment,” Yee said. “The reality is there will be a combination of a lot of cloud capabilities. It’s a matter of finding right capability for an application to be hosted some place.”
Dave Bennett, DISA’s director of the Operations Directorate, said moving DCMA’s applications in 90 days is both a big win and an example of the maturation of the platform.
“We are showing the ability to migrate cloud ready capabilities and progress at scale and at speed as opposed to taking a year or a very lengthy period to move to the cloud,” he said.
Additionally, Bennett said the classified version of MilCloud 2 should be ready to start accepting applications no later than January.
“Between MilCloud 2.0, the JEDI solution and other cloud solutions, we are working with the DoD CIO and others to establish a group of cloud shared services that are back-end capabilities that cloud providers and application owners would be able to leverage so they don’t have to create their own back-end services. It’s a way to speed the movement to the cloud, reduce the cost and get a more consistent look and feel in terms of delivering and leveraging services within the cloud,” he said. “We just implemented another instance of a cloud access point so as we are increasing the bandwidth to the access points, we also are increasing the diversity of the access points so everybody will be able to leverage the capabilities in the cloud without bandwidth being a constraint.”
If each program and project is a plate DISA is spinning, consider the 4th Estate consolidation and modernization effort one of those plates that Italian restaurants serve family style.
The initiative will add 1,200 employees, almost $1 billion in new work and 14 agency customers to make happy.
Air Force Col. Chris Autrey, the chief of the Defense Enclave Services Office, at DISA, may have the most fingers trying to balance that spinning plate.
Want to stay up to date with the latest federal news and information from all your devices? Download the revamped Federal News Network app
Autrey said the first generation of the 4th Estate Consolidation is to bring DISA and four other smaller agencies onto a single network called DoDNet by the end of 2021.
“We are doing that initial contract award to do the support and migrate those folks. The source selection is underway right now,” Autrey said in an interview after his speech at the industry day. “In addition to that, we also did the global services contract consolidation, which is allowing all of the agencies to use a single, larger competed support desk contract for cost efficiencies. They will all come onto that contract over the next year or so to help them reduce their costs while still giving them a source of someone to do their services desk work.”
The memo grants DISA the official authority to direct the transition of the 14 agencies into a shared services environment by the end of 2024 and it lists all the common use IT services that DISA will now manage.
Along with DISA, those first four agencies to transition in 2021 include Defense Technical Information Center (DTIC), Defense Media Activity (DMA), Defense POW/MIA Accounting Agency (DPAA) and the Defense MicroElectronics Agency (DMEA).
Additionally, Autrey said DISA set up a products contract with NASA SEWP to standardize the purchase of hardware devices.
“Part of what we are doing is gain efficiencies in the workload so I can put less money against contracts to do this level of work. One of the ways we need to do that is standardized images for like desktops across the 4th Estate. Today if I have 40 different types of laptops, that’s 40 types of baselines and images that I need to keep for those. I can’t afford to do that in the future. That’s a bridge too far,” he said. “By bringing the agency into a pre-competed set of equipment that is approved, meets all the cybersecurity requirements, we have a known good baseline to work with and if you are buying off that list we can support it.”
The products work with NASA SEWP is one of 10 IT services and capabilities DISA will assume responsibility for over the next few years. The other areas include storage, cybersecurity and network access services, according to the Aug. 15 memo.
DISA expects to release the solicitation for the larger DES contract for the remaining agencies in early 2021 with an award in early 2022.
“With the initial pilot, we will see how the initial capability will work. We hope the DES contract provider will come forward with innovative solutions for how to deliver services better and more efficiently,” Autrey said. “We would like to take that innovation and expertise to create a better solution as we migrate the majority of the 4th Estate to the solution.”
One of the biggest challenges with the 4th Estate consolidation is getting every customer agency to agree to the path forward.
Autrey credits the DoD CIO’s office in creating a transparent and collaborative process.
“Danielle Metz [the principal director for the deputy CIO for Information Enterprise, meets with the seniors from the agencies and everything we are doing is an open book to these agencies, everything with the finances, with the plan for schedules, everything with our hardware buy so that open transparency,” he said. “In the end, it’s the same story that everyone gets, no one has a question and can say they haven’t been told, and has the opportunity to contribute to the conversation.”
One of the common themes that emerged during industry day is DISA’s excitement over new and emerging technologies.
Diane Phan, DISA’s endpoint security program manager, said the agency plans to update an endpoint detection and response capability pilot from 2017 looking at new technologies like machine learning and automation in the cloud.
She said the agency will release a request for information in early 2020 and plan to make a contract award by the third quarter of the fiscal year.
Similarly, Phan said DISA is planning acquisitions for application containment capabilities and to expand the comply-to-connect effort across all of DoD.
Tinisha McMillan, the program manager for cyber situational awareness and network operations at DISA, said one of her major efforts is to look at tools and ensure they have an effective and consolidated approach to network defense.
“We need to align analytics to get after defense cyber operations space and ensure we have a rapid incident response,” she said. “That is a critical capability, but we haven’t had a lot of response from industry on it.”
McMillan said DISA will release a follow-on contract in early 2022 for continuous monitoring and risk scoring capabilities as part of obtaining more advanced tools.
Another technology DISA wants to build more capabilities around is mobile security.
Neil Mazuranic, the chief of the services development office, said DISA is developing a mobility prototype to improve how it is developing mobile applications and adhering to standards.
“Having such an environment will give us an opportunity for mission partners to develop applications and put them out to be used by soldiers more quickly,” he said.
“We are looking for the next generation enterprise management mobility tool,” Long said. “Expect to see that soon.”
And then there is Steve Wallace, who leads DISA’s emerging technology directorate.
Wallace is at the forefront of a majority of DISA’s testing and piloting of efforts.
His team has tested several prototypes for transform the way DoD ensures the identity of its users.
Wallace called the assured identity effort part of how DoD is modernizing its traditional approach using the common access card to ensure the right people have access to the network and data. He said the question this initiative is trying to answer is how can DoD continually monitor a user’s interaction with the military’s systems?
“Over the last year we were working with chip set manufacture to integrate the capabilities. Now we are working with a handset manufacture to integrate those capabilities. So we are working our way up the stack,” Wallace said. “We did one prototype that is all software based that is nine months into the cycle. The prototype with handset manufacture is integrating the capabilities focused on Android devices. In about a year, I would hope we will be much further along and have that continuous authentication going on in the background on the handset.”
Another initiative that Wallace expects to pay dividends in 2020 is the browser isolation pilot.
DISA awarded two Other Transaction Agreements in 2019 to look at better ways to defend the DoD Information Network (DoDIN).
“We have two vendors that we are baking off against each other. The challenge is this area is still fairly green in terms of technology so we wanted to see where the technology landed,” Wallace said. “We are at about 15,000 end points right now. Our goal is to reach 100,000 end points within the next 3-to-6 months, and then we will move into a transition period where we hopefully will move the entire department into this type of solution.”
He added the feedback so far has been positive with an equal or better browser experience for the users.
“I don’t want to rush into a selection until we have had time to properly exercise it. We wanted a large cross section of the department to get experience with it and give us the feedback so we could make a more educated decision,” Wallace said.
A third area where DISA is just wading into is distributed ledger technology. Wallace said he believes blockchain is a useful technology and he wants to see how DISA could offer blockchain-as-a-service.
“The answer right now to every IT problem is not blockchain. We are finding useful areas to leverage it,” he said. “We are testing it in our Mechanicsburg data center. It’s really allowing us to explore the technology. There’s been a lot of attempts over last few years to use blockchain in any number of ways, and, more often or not, it can be solved with a simple relational database and you don’t need all that overhead. But where it gets interesting is in the logistical space where you potentially want to share that dataset out among multiple groups of folks and you don’t want to give them access to a database or web service. But you can have this ledger that you can distribute and it’s secured in a cryptographic manner so that everyone has the ability to read if not potentially write to it. But we can make it more robust than it needs to be. Logistics is a good use area for something like blockchain.”