[Updated Friday with new DISA org chart] CRYSTAL CITY: The day before Islamic radicals hijacked Central Command’s Twitter account, the Defense Information Systems Agency officially launched a major overhaul intended, among other things, to increase cybersecurity. But it doesn’t mean the office is getting bigger or getting more money: DISA’s cybersecurity office will actually get smaller.
“It’ll definitely be smaller and more focused,” DISA’s “chief information assurance executive,” Mark Orndorff, told me yesterday after an AFCEA panel. By handing over day-to-day responsibilities for procuring technology and operating systems to newly formed divisions within DISA, he argued, the cybersecurity office will be able to lift its nose from the grindstone and look to the future.
“Prior to today, I’d spend the vast majority of my time and my office[‘s] on keeping things working that had already been fielded and getting the things we just purchased out the door into operations,” Orndorff said. “What we didn’t spend much time on was thinking, ‘what should we be doing [next]? Where’s the threat evolving?”
As a result, Orndorff could often see the threats of tomorrow emerging but not necessarily do anything about it, because his office was overwhelmed with the threats of today. “There’s technology we could put into our networks to start driving that [emerging] risk down, but frankly under the previous organization, we really didn’t have time to dig into detail and flesh out those ideas,” he told me. “With the reorg, and the focus on more strategic-level planning, I think we’ll be able to do a better job.”
While the streamlined cybersecurity office refocuses on the big-picture future, however, who will keep all DISA’s disparate programs on track here and now?
“That is the challenge, the No. 1 challenge, for the risk management office,” Orndorff said when asked that question at the panel. “We’ll have our hook into each part of the organization to try to make sure that we keep that focus on cybersecurity.”
The cybersecurity office will hand over management of specific programs — including the personnel and budget to run them — to two newly created divisions of DISA. One center will handle procurement and development of new technology under Alfred Rivera, one for services and sustainment of existing technology under Dave Bennett (currently the CIO). “Mr. Bennett will have the ‘keep things working that have already been fielded’ [portfolio] and Mr. Rivera will have ‘get the things that we’ve purchased out the door into operations,'” Orndorff told me.
“What we will be doing is laying out an architecture that lays out where we’d like Mr. Rivera to take the programs, [e.g.] where we need to acquire capabilities, [and] we’ll lay out standards and operational assessments to help guide Mr. Bennett [in] sustaining and operating securely,” Orndorff said during the pane.
Most important, the head of information assurance will still set cybersecurity standards for everything DISA does — and he’ll retain “the head-knocking authority” to force programs to comply with those standards, Orndorff told me: “Anything that goes into production has to get an approval from… me [or soon] John Hickey,” said Orndorff, who’ll retire in a few weeks and hand over to Mr. Hickey, another DISA official.
“What’s happening now is reflective of the importance of cybersecurity to the Department and to DISA,” Orndorff summed up in his presentation to AFCEA. “We aren’t going to have a separate program office for the cybersecurity program: Cybersecurity is part of everything DISA does.”
That’s the aspiration, at least. The hard part, of course, is making it a reality.
“This reorganization, [officially] we started this on January the 11th,” Lt. Gen. Ronnie Hawkins told AFCEA. “It is not going to take place overnight,” the DISA director cautioned. “[But] by the end of this calendar year, we should be solidly ensconced into this organization.”