The Defense Department plans to establish an on-premise cloud service capability by the fourth quarter of fiscal year 2017.
“The vision that I have is that it would probably be a third-party-managed cloud and it will provide us a set of enterprise services that’s everything from email, records storage, video, chat, file share, collaboration space,” Pentagon CIO Terry Halvorsen said Thursday.
The cloud service capability is part of a larger vision for the future of the DOD’s IT environment, outlined in a new document which Halvorsen discussed Thursday with reporters at the Pentagon.
The enterprise services may even include what Halvorsen described as smaller DevOps projects, even maybe DevOps projects that work on new ways of delivering information and data, Halvorsen said.
Halvorsen noted U.S. allies abroad are also looking at moving to cloud environments. He recently made a trip to the West Coast with some of his counterparts at defense departments of allies, where they discussed cloud computing, information sharing, and identity and access management systems.
“That’s where everybody’s headed, and I wanted to clearly say, DOD is going there too,” Halvorsen said of cloud, which he said might be better described as distributed computing. “That’s where we have to head to.”
Another issue discussed during the West Coast trip, also mentioned in the vision document, is developing a system to replace the DOD’s common access card, in a “two-year plan.”
“We’re narrowing down what I think will be the sets of answers,” Halvorsen said.
He said he thinks the CAC card replacement will be a combination of biometrics, behavior metrics and sets of personal data.
“One of the things that’s really hard to mimic is how you actually interact with your machine,” Halvorsen said.
“Everything from the way you search files to the way, time you spend on different files, all of that stuff is the stuff we can track. And should track. And would be very helpful in determining if you are you on the machine.”
Halvorsen said he did not think the solution would involve a static set of personal data.
“Here’s the trick to this: I don’t think it will be one constant set of personal data, I think it will be personal data that we have on file and we will rotate what that data is at random,” he said. “Even if somebody breaks in they still won’t know which ones were the keys.”
Halvorsen wouldn’t discuss the recent dump online of supposedly National Security Agency hacker-developed software exploits, but the department’s vision document emphasized cybersecurity, particularly prioritizing funding for it.
“DOD networks are more secure today than they were last year,” Halvorsen said. “Do we have more work to do? Absolutely. This is an area where every time you get better, so does the threat.”
The vision’s cybersecurity goal includes near-term focuses of revamping the certification and accreditation process, and continuing the ongoing Windows 10 migration.
Halvorsen said Thursday that he thinks one of the biggest problems is simplifying a network that is unnecessarily complicated.
An example he mentioned: “I think up until maybe last year we were running every version of Microsoft that had ever been invented. That’s a complexity that you don’t need and frankly, creates weaknesses in your systems.”
The department’s other focus in cybersecurity is continuing to change the culture around it. Halvorsen said the goal is twofold: helping everyone realize they are responsible for their behavior in the space, and helping them accept that best practices change rapidly as the threat changes.
Another goal, increasing transparency around IT spending, will require employees to think about how to explain spending in a way that makes sense for nontechnical people, Halvorsen said.
“We are getting more discrete in our ability to see the spend,” Halvorsen noted. “Sharing that better is a key step so that decision makers up and down the chain can see that.”
Halvorsen added that this won’t require changes in policy — it’s more of a change in execution.
“We want to present this in formats and in ways that make sense,” Halvorsen said. “And sometimes we’ve been guilty of not doing that.”
He said the department needs to improve how it communicates to people on the hill, and its “customers” or those internally in DOD who use IT services.
“We had to educate our force a little bit more on business matters, and we’ve done a lot of that to understand how to think,” Halvorsen said. “We’re not a business – but we do have to think like a business in certain things, and this is one of them.”