WASHINGTON, DC: “I’ve been 36 years in the government,” the Pentagon’s deputy chief information officer said this morning, and I’ve never seen a team of CIOs work as closely together as this team does over the last 24 months.”
“All the CIOs are working together,” Donald Heckman told the Ignite ’19 cybersecurity conference this morning. “We’re working across the board to share best practices, set common standards, and make sure we don’t have service-unique solutions, that they all kind of roll into an enterprise solution.”
His Army counterpart agreed. “I’ve seen more strategic shifts, in terms of us working together across the department, in the last 24 months than I’ve probably seen in the last 10 years or so,” Army CIO, Lt. Gen. Bruce Crawford said. “One big thing we’ve got to do [is] resist the temptation to develop service-specific solutions.”
Now, some translation of buzzwords is in order. “Enterprise,” in this context, refers to the Defense Department’s non-combat information technology at military bases, agency offices, and the Pentagon itself — as distinct from the tactical networks that pass targeting data and intelligence reports to combat units. The tactical side, which has to operate in harsh conditions and literally under fire, requires some unique technology and will remain government-run. But the enterprise side of DoD resembles any other major business and can be outsourced, at least in part, to private companies.
Enterprise as a service is the Pentagon’s push to do something a lot of big companies do. Instead of buying your own hardware, software, and networks, and hiring your own techies to keep them running and up to date, you effectively rent everything (the whole enterprise, as it were) from a company that specializes in such things. Instead of going through the federal government’s notoriously slow and cumbersome acquisition system — Crawford estimated it would take 30 years to buy new IT for every one of the Army’s 288 installations — you can use service contracting, which is significantly more flexible. So when you need to upgrade software or hardware, for example, you don’t have to go through the procurement process: The contractor does the upgrade for you and bills it as a service on the existing contract….
… assuming, of course, you’ve written the contract correctly. There are plenty of ways this can go wrong, and the pioneering prototype of enterprise-as-a-service, the Navy-Marine Corps Intranet, ran afoul of several of them. The way the original NMCI contract was written, for example, the Navy and Marine Corps didn’t actually own their data — the contractor did — said former Army CIO, retired Lt. Gen. Susan Lawrence.
“It was very painful to get it up and operating,” Lawrence told me before she moderated this morning’s Ignite panel with Heckman and Crawford. But, she said, the four services have learned from NMCI, both in the Navy Department’s revised contract, called Next-Gen, and in the Army and Air Force pilot projects for enterprise-as-a-service now underway. (Lawrence’s employer, Accenture, has a role in many of these projects). All those contracts, for instance, give the military ownership of the data.
The Army was the last of the military branches to embrace enterprise-as-a-service, Crawford acknowledged, and it leaned heavily on the Navy and, especially, the Air Force. “Our involvement in this actually started with the gentlemen to my left and I,” Crawford said, pointing to Air Force deputy CIO William Marion, “on a bus with Mr. Dana Deasy [the Pentagon CIO] in New York City, right about a year ago.”they
Building on that bus ride conversation with Marion, Crawford moved out on an Army enterprise-as-a-service pilot project informed by the Air Force’s experience — and, in at least one case, they actually used the same contract. The same company, SAIC, will migrate hundreds of applications from the existing IT to new cloud-computing systems for both Air Force and Army, Lawrence told me. (That contract is, of course, under a bid protest at the moment).
That said, Lawrence went on, there are some significant differences. The Air Force is doing three parallel pilot projects on different aspects of as-a-service: one for networking, one for processing power (known in the industry as “compute”) and data storage, and one for end-user devices (i.e. the actual computers people use). Her company, Accenture, just finished doing preliminary assessments of six bases, for instance. The Air Force will take stock of these pilots in late 2021 and then issue a long-term contract.
The Army, by contrast, is doing pilot projects with three companies — AT&T (partnered with Accenture), Microsoft and Verizon — at three different bases. Each contractor is providing the whole range of services at its designated location. What’s more, Lawrence told me, once the Army decides which of the competitors is doing the best job, it won’t have to compete or negotiate a new contract for the next phase, which covers another 40 bases. It can just exercise the appropriate clause in the existing contract.
Now, this whole process puts a lot of trust in the corporate vendor providing the whole enterprise enchilada as a service. Where should government draw the line?
“That answer is going to be determined by what is critical to us as a mission,” said Marion, the Air Force deputy CIO. “Sometimes we need to own it. Sometimes we don’t.
“Even in the cybersecurity business, there’s elements we don’t need to run anymore,” Marion went on. Yes, there’s no substitute for the elite hackers of Cyber Command, but the Defense Department can rely on, say, Microsoft’s Office 365 to filter out routine spam.
The whole point of the pilot projects now underway, Marion continued, is to figure out where that line should lie. But whatever the final decision on outsourcing, he said, the Defense Department does need to unburden its technically skilled troops of the routine back-office tasks, so they can focus on the hardcore cyber warfighting that only the military can handle.
“If we keep the old model, if we don’t make the bold move, we don’t have those airmen available,” Marion said.