The Pentagon can no longer certify and accredit the IT products and services it uses rapidly enough to keep pace with developing technologies and “maintain the edge,” Defense Department CIO Terry Halvorsen said Thursday.
The DOD is exploring a new policy to partner more strategically with industry on certifying IT by putting the responsibility more in the hands of the firms to show their products comply with the department’s requirements, Halvorsen said.
“I think the day and age of us being able to sit and certify either applications or systems, and even products, hardware, is gone,” he said.
While many of DOD’s partners love its current “dynamic, agile certification and accreditation process,” as he described it, Halvorsen said the department “is going to blow it up” because advances in technology are just too rapid for the current system to keep up. “It doesn’t work,” he said.
“What we want to do is partner with industry so that we’re looking to say … they have processes in place that they’ve shown to us, and they’ve shown us some of the output of those processes, i.e. the code, that proves they are making secure enough products,” Halvorsen told FedScoop after a keynote speech about defense industry security.
“If they do that, then what we can do is say, ‘OK, you’re good'” on some periodical basis, he said, calling it a “trust arrangement.” “We’ve got to get there, because today, an average accreditation is over a year, so I generally can’t operate anything on my network without an authority to operate, which means I have to have an accreditation. A year is way too long for us to be waiting for changes. It also costs a whole heck of a lot of money for us to do it the way we’re doing it.”
This movement is largely driven by the distributed nature of modern IT enterprises based in the cloud with regular updates from developers. Under DOD’s current outdated certification and accreditation processes, the department can’t take advantage of those immediate changes, putting it at a security disadvantage.
“I would have to stop and recertify,” Halvorsen said in his keynote. “That’s not going to work.”
“We can’t be as agile as we need to be, and in fact, when we’re that slow, it actually lowers security” because at the pace of the updates in the cloud “I could not then accept the security and other changes to the cloud that make it a better product,” he explained in an interview.
Partnering more closely with industry broadly “is in fact our secret weapon to maintain the edge,” Halvorsen said. It’s been a theme of many of his recent talks and was the impetus for his trip to visit Silicon Valley last week with representatives from NATO, IT leaders from other allied forces and CIOs from the American military branches.
In particular, he believes there needs to be greater dialogue between DOD and industry on needs and capabilities rather than getting lost in an avalanche of requirements.
“I don’t want us using the word ‘requirements’ any more,” Halvorsen said. “Requirements have been translated to mean this really long list of technical things that dictate the solution. That’s not helpful. I want to have an industry discussion about capabilities — to lay out the capabilities I want in security, and then get the innovative power from industry to answer that.”
Moreover, those discussions will be far more effective if they occur between the actual product owner with the need and the product developer who has the capability to fill it, he added, instead of starting with a sales discussion and letting someone who will never use the product develop a long list of requirements.
And while the Pentagon needs to get better at working with industry, he admitted, private firms must also work better with one another, he said.
“There is nobody — no single company anywhere — that is going to provide either DOD or the allies all the answers I need in security,” Halvorsen said. “It’s just not going to happen, particularly if I say I want the best of the breed.”
“We’ve gotta have that dialogue or the secret weapon doesn’t work,” he added.
That may be a solution to help smaller companies with new and innovative ideas afford to do business with the Pentagon, Halvorsen said. He particularly worries that his proposed model for IT accreditation may alienate smaller IT firms that don’t have the money to support such a process internally.
“I’m hoping that in parts of industry we will work out how to address the small industry; we cannot afford to have that. Maybe there’s a way bigger companies can sponsor them under their process,” he said, pointing to a model similar to how many smaller IT companies have gotten out of the business of providing their own infrastructure and instead outsource it to the massive cloud service providers like Amazon Web Services and Google.
“I don’t know the answer to that,” Halvorsen said. “What I do know is the current process is too costly, too time consuming and cannot deliver the agility that we have to have.”