The Department of Defense’s move to adopt commercial cloud capabilities to modernize its back-office communication and collaboration tools can’t be weighed down by extensive technical requirements and calls for customization and development, a top Defense Information Systems Agency official said Wednesday.
Brian Hermann, chief of DISA’s Enterprise Services Development Division, admitted he was “a little disturbed” when he was given an “81-page functional requirements document” for the $8 billion Defense Enterprise Office Solution (DEOS) contract, which will consolidate next-gen back-office communication and collaboration tools across the DOD in the commercial cloud.
“Doesn’t that sound a little bit contradictory to the idea of leveraging commercially available tools?” Hermann said Wednesday at a FedInsider event. He attributed it to “the department not quite being able to really give up on the idea that the functionality exists — we know it exists in multiple places.”
The Pentagon is similarly also looking to adopt commercial cloud capabilities in its landmark Joint Enterprise Defense Infrastructure (JEDI) acquisition, which is led by DOD CIO Dana Deasy.
Hermann, who is helping lead development of DEOS as DISA’s unified capabilities portfolio manager, said the forthcoming contract must “remain non-developmental and focused on actual existing commercial offerings. And we in the Department of Defense have to be willing to change our processes to use the off-the-shelf tools and leverage those commercially available services.
Instead of focusing on developing technical requirements — an old-school trademark of the custom-built systems the Pentagon and the government at large now are trying to avoid — “what we need to think about is how we operationalize” what’s already commercially available, Hermann said. “What business practices, what cybersecurity, what information access rules we will put around those commercially available tools is what we should be focusing our time on. That’s going to make it successful or not successful.”
“Clearly we have to secure those capabilities and provide those reasonable business processes without going to the point where we’re making our requirements so unique that we can’t use the commercially available tools,” he said.
DEOS challenges, benefits
The move to DEOS, which should replace the Defense Enterprise Email, the DOD Enterprise Portal Service, Defense Collaboration Services and others, will be fraught with challenges, Hermann said. “DEOS changes a lot of things about the way we do things at the Department of Defense.”
He continued, “The cybersecurity associated with connecting to the network is going to severely test our network, it will test our cloud access points, it will test our security stacks, and we have to find a way to make sure that our networks allow us to consume those cloud-based services.”
But it also presents a bounty of opportunity to streamline collaboration and communication across the military services and defense agencies.
“Everyone that delivers their own organic or contractually provided email separately today has their own set of unique vulnerabilities. … The more of those things that we have, the more complex our cybersecurity boundary is, and DEOS will streamline that cybersecurity boundary,” Hermann explained. “It will change our thinking about cybersecurity, though, because it requires we have FedRAMP and the process associated with connecting vendor partners to our network. We have to really understand that it’s different than if we run the stuff in our own data centers. It probably shouldn’t be that different, but it is really a true shared cybersecurity partnership between the Department of Defense and contract vendors.”
Finally, and perhaps most importantly, the biggest gain Hermann sees from DEOS isn’t in added security or cost savings in reducing redundant systems. It’s the ability it grants DOD personnel and service members to focus on the national defense mission.
“The driving factor is that everybody in the Department of Defense has probably higher priority cyber missions that they should have their personnel on and not on the commodity IT work associated with these collaborative capabilities.”