By Cheryl Pellerin
DoD News, Defense Media Activity
WASHINGTON, April 10, 2015 – Defense Department Chief
Information Officer Terry Halvorsen is leading a charge to modernize the
department’s information technology-cyber enterprise using every available
tool, especially those in commercial markets, a defense official in the CIO’s
office said.
David A. Cotton, acting deputy CIO for information
enterprise, recently spoke to an audience at the FedScoop 2015 Mobile Gov
Summit about how DoD is leveraging the power of commercial IT to give its
workforce access to information at the point of need.
Cotton said the department has 1.4 million active-duty men
and women, 718,000 civilians and 1.1 million National Guard and Reserve
members. More than 450,000 of those employees, he noted, are overseas or
outside the continental United States.
The department, he added, has several hundred thousand
buildings, and structures at more than 5,000 locations on 30 billion acres of
land.
Contributing to the Mission
“To us, the mobile workforce is very important. We've got to
bring [them] capability so they can contribute to the mission wherever they
might be located,” Cotton said.
The framework for the department’s IT-cyber modernization is
the Joint Information Environment, or JIE, which Cotton calls a vision for the
future and something the department always will be trying to achieve.
Within the JIE are shared IT infrastructure, common
configurations and management, and a common set of enterprise services and
capabilities, all with a single security architecture so the system will be
more secure, more effective and more efficient, Cotton said.
Improved security will give mission commanders a better
sense of their level of risk and, from a cyber perspective, a better
understanding of their situation within the network, he added.
Shared Situational Awareness
“The network operators –- defenders -- will have the same
shared situational awareness, instead of disparate networks that require much
more collaboration to understand the enterprise perspective,” Cotton said,
adding that a consistent IT architecture will make the network resilient and
defendable.
On the effectiveness side, he said, department personnel
will have timely, secure access to data no matter where they are or what device
they’re using, and they’ll have access to information and services in case of
disruption, degradation or damage.
The system also will be more efficient, Cotton said,
reducing duplication of capabilities across the services, increasing the return
on investment, reducing IT operating costs, and allowing for budget
transparency on the IT expenditures.
Joint Regional Security Stacks
But the foundation of the JIE is called Joint Regional
Security Stacks, or JRSS, Cotton said.
The JRSS itself is a series of 19-inch racks in cabinets,
with network applications and appliances in the racks. The technology enables a
consolidated view of the network activity and potential anomalies, he noted.
“Army started the initiative, then the Air Force joined in,
with Marines and the Navy soon to follow,” Cotton said.
The Defense Information Systems Agency is partnering with
the Army and Air Force and using JRSS to change the way the department secures
and protects its information networks.
According to DISA, a joint regional security stack is a
suite of equipment that performs firewall functions, intrusion detection and
prevention, enterprise management and virtual routing and forwarding, and
provides network security capabilities.
Touching Every Base, Post, Camp
Deploying JRSS centralizes network security into regional
architectures rather than locally distributed architectures.
“It's a huge effort,” Cotton said, “because essentially in
the end we'll touch every base, post, camp, station or location that DoD
networks reside in or traverse.”
With this, the deputy CIO added, the obvious next step is
connecting the network environment to the cloud computing environment.
“Right now Mr. Halvorsen … wants us to run to cloud
capabilities quickly on the commercial side, but with some rules -- because we
believe there are probably more cost-effective solutions for some of the things
we do in the commercial market than there would be in our own federal data
centers,” Cotton said.
The Commercial Cloud
In December Halvorsen published a memo giving updated
guidance on commercial cloud acquisition, Cotton added, and his office worked
with DISA and the community to develop a related security requirements guide.
“DISA … is now the keeper of the security requirements,” he
said, “so they drafted the requirements for using cloud [services] and
distilled them down to four levels of security -- from public-facing
information on a website to Secret.”
DISA published the requirements on the Internet and sought
comments, using them to continually refine the requirements.
Cotton said the security aspects are based on the Federal
Risk and Authorization Management Program, or FedRAMP, a government-wide
program that offers a standardized approach to security assessment,
authorization and continuous monitoring for cloud products and services.
DoD’s Mobility Evolution
DoD’s mobility evolution began with Blackberry smart phones
and is now, Cotton said, into the unclassified and the classified elements of
mobile solutions.
The department is now going from one vendor to many vendors,
he added, and to devices that are commercially available, with the security
requirements DoD users need, and the ability to use in the workplace
technologies that are readily available for personal use.
“I, for example, carry one of the [DoD] devices that
actually allows a dual persona,” Cotton said. “It has my work e-mail separated
from my personal e-mail so I can carry one device if I choose to do that. I
find that quite handy and helpful. We have about 1,500 of those deployed today,
but we continue to look at what other [devices] are available.”
As the department continues to explore the use of more
devices, it uses the National Information Assurance Partnership, a common
criteria evaluation and validation schema, to determine which of the devices
can be considered for official use, he added.
Cryptographic Credentials
On the secure communications side, Cotton said, “We want to
transition to commercial [technology] … and we actually have some things coming
out this year,” including a Samsung smart phone that has secure voice and
secure data via Web mail.
Such phones will come with the benefit of derived or
cryptographic credentials. These, according to the National Institute of
Standards and Technology, are derived from credentials in a common access card
and carried in a mobile device rather than a card.
“There is extreme demand for that,” Cotton said, “to put the
right information with the right person at the right time in the right format.”
No comments:
Post a Comment