BALTIMORE — The Defense Information Systems Agency annual forecast to industry day on Oct. 29 was a sure sign the federal market is returning to normal.
A nice crowd of maybe 200 industry executives showed up at the Baltimore Convention Center to better understand where DISA is heading in 2022 and beyond. But more than just the usual positioning for meetings and trying to gain a competitive edge, DISA took more of a strategic approach than the typical tactical one focused on contracts and timelines.
Throughout the seven-hour day, DISA officials covered technology priorities ranging from satellite communications to Thunderdome — insert “Mad Max” joke here — to cloud and data centers to small business contracting success and struggles.
Insight by Carahsoft: This exclusive e-book demonstrates just how far agencies have come and where they still need to go to take fully advantage of DevSecOps to drive modern capabilities to their customers.
More than in previous years where DISA brain dumped more than just upcoming contracts, but detailed how the technology, its priorities and its efforts fit into the Defense Department’s broader modernization strategy.
Here are three major takeaways from DISA’s forecast to industry day:
Throughout the day, DISA speakers followed the basic rules of communication: Tell the audience what you are going to say; say it; and then tell them what you said.
In this case, five different speakers drove home the same message: For most products and services we already provide and with the expected budget tightening, we don’t need more of the same.
Air Force Lt. Gen. Robert Skinner, the DISA director, started off with this theme and it continued until mid-afternoon.
“We have too many tools. So how do we optimize what we have first at minimal cost?” Skinner told the audience to lead off the forecast day. “We have to do more with what we have. We need your help so we can take advantage of the capabilities that exist.”
Skinner told industry to make sure the technology is scalable because DoD likes to break things in some form or fashion.
A few speakers later, Steve Wallace, DISA’s newly named chief technology officer and head of the emerging technology office, echoed Skinner’s comments.
“We want you to help us better tune our systems and make sure they don’t drift,” Wallace said. “The capability is only as good as it is implemented.”
Other speakers followed suit. Don Means, the director of the operations and infrastructure center, said industry has to help them “optimize what we have out there,” and help them figure out what they aren’t using to its full potential.
Caroline Bean, the acting director of the Joint Enterprise Services Division, told industry that DISA needs help “optimizing what we have out there that is not being used to its fullest potential. We want to use capabilities to be more proactive and preventative to provide a more seamless customer experience.”
She added DISA wants to use the data to make decisions faster and earlier in the process.
As you can tell, DISA executives followed their talking points around taking advantage of current technologies and tools, especially as the military’s budget is expected to tighten over the next year or two.
In DISA’s 2022 budget request to Congress in May, it asked for $2.7 billion, which is down from $3.4 billion in 2021.
DISA also receives money, just under $12 billion, from the services and defense agencies for enterprise services and acquisition support through its working capital fund.
Want to stay up to date with the latest federal news and information from all your devices? Download the revamped Federal News Network app
Skinner and other leaders expect those figures to remain flat or drop as DoD’s budget is under debate on Capitol Hill.
Industry should heed DISA’s warnings. Current providers need to optimize what DISA already is using, and new ones better bring the innovation and target specific requirements because DISA is tightening up its spending.
If you’ve been paying any attention to DISA over the last 20 years, one thing is clear: They do love their pilots or proofs of concept.
During the industry day, DISA officials mentioned at least five different pilots that are underway or it will launch in 2022.
The pilots along with the increased use of Other Transaction Authority (OTAs) signals a bigger shift for DISA in how it buys technology products and services.
Take Thunderdome, its zero trust prototype. DISA said it will soon award an OTA to prove out the concepts that make up a zero trust architecture.
“This is a radical rearchitecting of the DoD’s information networks. That pilot is going to prove out and we will listen to the work being done by other military services including the Air Force to make sure doing right things in that space,” Hermann said. “The pilot activity is going to help us inform exactly how we implement this across the entire department.”
The Hosting and Compute Center started a web server container pilot as a key piece to its strategy to modernize their data centers with modern technology. The Center’s Director Sharon Woods said she wants the data centers to become key enablers of the hybrid cloud environment and is starting to see how that would work through the pilot of one web server.
“We will achieve significant efficiencies, which will let us reinvest our workforce into more complexity going after different problems. It is a team that cuts across our entire organization,” she said.
Woods emphasized this pilot, like all the ones that will come from her shop, must deliver a minimum viable product in less than six months.
“That is rule one when we triage and look at what projects we want to undertake. This product is well underway and, for sure, will deliver in six months,” Woods said. “I would offer to industry when you come to us and offer us different ideas, I don’t want to boil the ocean. We are not interested in doing that. We are interested in identifying bite-sized things we can hit as a team, in partnership, in less than six months, and then go from there and use the momentum from those micro successes to really get after the bigger, fundamental global challenges.”
DISA’s move toward OTAs is another example of this strategic goal of increasing speed to capabilities.
Since 2018, DISA has awarded nine OTA prototypes, moved three into production contracts and have two more in process to be awarded. All of DISA’s OTAs go through Dreamport, which is a cybersecurity collaboration, innovation and prototyping lab created by the U.S. Cyber Command with the Maryland Innovation and Security Institute.
“When a program manager comes to us with an OTA requirement, we will schedule a pitch meeting, and we will have the PM describe to us what this requirement is to make sure it’s a good candidate for an OTA. We have turned several back, saying these need to be [Federal Acquisition Regulation] -based contracts because they don’t fit the criteria,” said Vanessa McCollum, a contract specialist at DISA.
In fact, Jason Martin, DISA’s Digital Capabilities and Security Center director, said the spectrum coordination systems procurement is going through that process now and could be shifted back from OTA to a traditional procurement.
“We’ve seen great success with some of our other OTAs. DISA is really evolving. DISA is using new techniques. DISA is doing things to try to become quicker at delivery,” Martin said. “We are leveraging these different more agile ways of thinking and doing this across the board with experts who are [on] loan to us for a day or two or permanent. Thunderdome will be fundamentally different because of how we are stacking it. When you impact the entire Defense Information Systems Network and you need resources from across the entire agency, you have to think differently.”
The pilots, the OTAs and the proof-of-concepts are all how DISA is demonstrating that its thinking is evolving.
Without a doubt, the most excitement during industry day came from DISA’s soon-to-be-awarded OTA for Thunderdome, its test to create zero trust architecture. DISA is reviewing industry white papers, which were due Sept. 7, and expects to make its choice “soon.”
But beyond the Thunderdome excitement, DISA is taking a lead role in a host of cybersecurity efforts that officials hope are as game changing as Thunderdome could be.
First off, if Thunderdome proves out, DISA will complete its implementation of the Joint Regional Security Stacks (JRSS) initiative this year and start to transition these to the zero trust architecture. DoD launched the JRSS project in 2014 to improve cyber protections. It struggled with implementation during the first several years and the Defense inspector general recommended DoD look for alternatives to JRSS, including zero trust.
At the same time, Martin said DISA will release version 2.0 of its zero trust reference architecture in the coming months.
While JRSS is potentially on the downside of its lifecycle, public key infrastructure (PKI) continues to a foundation DoD is building on. DISA is looking to take its legacy PKI and modernize its work in a hybrid cloud environment.
“We have been running this on-premise for years, but we think we can do a better job, more efficient, more effective, if we move that to a hybrid cloud environment,” Hermann said. “This is very technically complex what we do as it relates to PKI. We need to have really smart people doing this work. I think it’s fair to say within the government we have lost this technical skill set and it’s a niche capability even in industry. So I’m looking for help about how we modernize and move to a hybrid cloud in this space.”
DISA expects to release a request for proposal for PKI modernization support services in the second quarter of fiscal 2022 and make an award in fiscal 2023.
As part of the PKI modernization, Steve Wallace, DISA’s new chief technology officer and head of the emerging technology office, said DISA continues to look for new ways to make identity and access management easier, without losing any of the security rigor.
“One of the side effects of the Commercial Virtual Remote effort is it proved that username and password, and a multi-factor authentication components, whether it was biometrics or tokens, worked,” Wallace said. “I see a heavy focus on that as we move forward.”
End point security is another focus area with a RFP for third party tools integration help coming toward the end of 2022 with an award in early 2023.
Wallace added DISA plans to build on its success with the cloud-based internet isolation program with a reverse browser isolation effort.
“The cloud based internet isolation program is when a trusted end point [is] talking to untrusted data on the internet. The reverse browser isolation effort flips that and it is untrusted machines or workstations talking to trusted data sources. How do we create that separation and look beyond web application firewalls?” he said.
Two other long-term efforts include breach and attack simulation capabilities and a cyber asset inventory management program.
Wallace said DISA worked the Joint Force Headquarters-DoD Information Networks on this challenge to ensure vendor capabilities do what they say they do when it comes to a cyber attack.
“What this category of product does for us is it simulates breaches and attacks, and makes sure the white papers that we implemented capabilities on and the Visio drawings actually hold up in a real scenario. It will help us better tune our systems and make sure things don’t drift because as good as a capability can be, it’s only as good as it’s implemented,” he said. “The cyber asset inventory management program is to get an inventory of all the devices and systems that we have out there. I thought we would end up with a network scanner. But what we ended up with was a product that plugs into all the other infrastructure that we already we have and all systems and repositories, then does a comparative analysis and looks for gray space. Why does something appear in my Active Directory, but not in my anti-virus product? We are really excited as we start to deploy that. We are working with the Joint Service Provider to help us move that one forward.”