By Cheryl Pellerin
DoD News, Defense Media Activity
WASHINGTON, April 10, 2015 – Defense Department Chief Information Officer Terry Halvorsen is leading a charge to modernize the department’s information technology-cyber enterprise using every available tool, especially those in commercial markets, a defense official in the CIO’s office said.
David A. Cotton, acting deputy CIO for information enterprise, recently spoke to an audience at the FedScoop 2015 Mobile Gov Summit about how DoD is leveraging the power of commercial IT to give its workforce access to information at the point of need.
Cotton said the department has 1.4 million active-duty men and women, 718,000 civilians and 1.1 million National Guard and Reserve members. More than 450,000 of those employees, he noted, are overseas or outside the continental United States.
The department, he added, has several hundred thousand buildings, and structures at more than 5,000 locations on 30 billion acres of land.
Contributing to the Mission
“To us, the mobile workforce is very important. We've got to bring [them] capability so they can contribute to the mission wherever they might be located,” Cotton said.
The framework for the department’s IT-cyber modernization is the Joint Information Environment, or JIE, which Cotton calls a vision for the future and something the department always will be trying to achieve.
Within the JIE are shared IT infrastructure, common configurations and management, and a common set of enterprise services and capabilities, all with a single security architecture so the system will be more secure, more effective and more efficient, Cotton said.
Improved security will give mission commanders a better sense of their level of risk and, from a cyber perspective, a better understanding of their situation within the network, he added.
Shared Situational Awareness
“The network operators –- defenders -- will have the same shared situational awareness, instead of disparate networks that require much more collaboration to understand the enterprise perspective,” Cotton said, adding that a consistent IT architecture will make the network resilient and defendable.
On the effectiveness side, he said, department personnel will have timely, secure access to data no matter where they are or what device they’re using, and they’ll have access to information and services in case of disruption, degradation or damage.
The system also will be more efficient, Cotton said, reducing duplication of capabilities across the services, increasing the return on investment, reducing IT operating costs, and allowing for budget transparency on the IT expenditures.
Joint Regional Security Stacks
But the foundation of the JIE is called Joint Regional Security Stacks, or JRSS, Cotton said.
The JRSS itself is a series of 19-inch racks in cabinets, with network applications and appliances in the racks. The technology enables a consolidated view of the network activity and potential anomalies, he noted.
“Army started the initiative, then the Air Force joined in, with Marines and the Navy soon to follow,” Cotton said.
The Defense Information Systems Agency is partnering with the Army and Air Force and using JRSS to change the way the department secures and protects its information networks.
According to DISA, a joint regional security stack is a suite of equipment that performs firewall functions, intrusion detection and prevention, enterprise management and virtual routing and forwarding, and provides network security capabilities.
Touching Every Base, Post, Camp
Deploying JRSS centralizes network security into regional architectures rather than locally distributed architectures.
“It's a huge effort,” Cotton said, “because essentially in the end we'll touch every base, post, camp, station or location that DoD networks reside in or traverse.”
With this, the deputy CIO added, the obvious next step is connecting the network environment to the cloud computing environment.
“Right now Mr. Halvorsen … wants us to run to cloud capabilities quickly on the commercial side, but with some rules -- because we believe there are probably more cost-effective solutions for some of the things we do in the commercial market than there would be in our own federal data centers,” Cotton said.
The Commercial Cloud
In December Halvorsen published a memo giving updated guidance on commercial cloud acquisition, Cotton added, and his office worked with DISA and the community to develop a related security requirements guide.
“DISA … is now the keeper of the security requirements,” he said, “so they drafted the requirements for using cloud [services] and distilled them down to four levels of security -- from public-facing information on a website to Secret.”
DISA published the requirements on the Internet and sought comments, using them to continually refine the requirements.
Cotton said the security aspects are based on the Federal Risk and Authorization Management Program, or FedRAMP, a government-wide program that offers a standardized approach to security assessment, authorization and continuous monitoring for cloud products and services.
DoD’s Mobility Evolution
DoD’s mobility evolution began with Blackberry smart phones and is now, Cotton said, into the unclassified and the classified elements of mobile solutions.
The department is now going from one vendor to many vendors, he added, and to devices that are commercially available, with the security requirements DoD users need, and the ability to use in the workplace technologies that are readily available for personal use.
“I, for example, carry one of the [DoD] devices that actually allows a dual persona,” Cotton said. “It has my work e-mail separated from my personal e-mail so I can carry one device if I choose to do that. I find that quite handy and helpful. We have about 1,500 of those deployed today, but we continue to look at what other [devices] are available.”
As the department continues to explore the use of more devices, it uses the National Information Assurance Partnership, a common criteria evaluation and validation schema, to determine which of the devices can be considered for official use, he added.
On the secure communications side, Cotton said, “We want to transition to commercial [technology] … and we actually have some things coming out this year,” including a Samsung smart phone that has secure voice and secure data via Web mail.
Such phones will come with the benefit of derived or cryptographic credentials. These, according to the National Institute of Standards and Technology, are derived from credentials in a common access card and carried in a mobile device rather than a card.
“There is extreme demand for that,” Cotton said, “to put the right information with the right person at the right time in the right format.”