DoD to test commercial cloud for some sensitive data

Listen to Jason Miller's interview on the Federal Drive.

Jason Miller | April 17, 2015 7:34 pm

The Defense Department will identify a set of pilot programs in the next month to put more sensitive data into a cloud not run by the military.

This is one of several initiatives Terry Halvorsen, DoD’s acting chief information officer, is planning, to change the way the military uses and manages its network.

Halvorsen said his office will announce the five pilots in the next 20 days that will see how sensitive data — at the Level 3 and Level 4 security classification — can work in a cloud environment that is owned by the public sector.

“We are probably not going to put a lot of Level 3 data into what I would call a standard open cloud. But we will be putting in semi-private clouds. I could see some of that data going into government-only clouds that are in the commercial sector, but it’s partitioned so that it’s only government. Some of that will be private clouds,” Halvorsen said Wednesday at the Federal Forum conference sponsored by Brocade in Washington. “And we are looking at some interesting opportunities that might even do things like, what if I had a government buildings that I said. ‘OK, commercial vendor come in and operate the whole thing. Give me the cost for doing that and comparing that to our costs for internal operations.'”

Halvorsen said he’s meeting with the team leading this effort daily to ensure these pilots get off the ground in a timely manner. He said they also have another big incentive.


“If they get five of them done, and I won’t give you the exact timeline, but it could be the first of September, I am buying steak dinners and we decided it would not be at Golden Corral,” Halvorsen said.

To be clear, this is not classified data going on commercial clouds, but its sensitive data that traditionally is kept on DoD-only networks.

He said the pilots are important because it would give DoD confidence in moving their networks in a new direction that meets its goals of agility, affordability and security.

The move to the cloud is part of a broader network modernization strategy, which the Joint Information Environment (JIE) is driving.

The JIE is not a contract or network, but an umbrella term to talk about standards, consolidation and sharing of network and data.

Halvorsen said DoD is planning a series of discrete objectives around JIE that are definable, affordable, defendable and measurable.

New policies under development

He said the efforts around the JIE are leading to a series of policy opportunities.

“How do we get into a more software-defined network? Another one is implementing what we are calling smart, safe code. It’s leveraging some of the industry work to put out some acquisition guidelines that says code on anything that is software must meet these following standards for both security and frankly for ease of conversion too. We are working through what those are and we will come back to industry to ask for more guidance for that, to ask what you see. The last one is to put some harsher standards that say, if you are doing to develop software for us, you must develop it to require the minimum bandwidth possible to operate on.”

Halvorsen said the bandwidth requirement may not be a hard-and-fast rule, but it’s something DoD wants vendors to begin to get used to.

“We have to operate in what you could call challenging, low bandwidth environment,” he said. “The more we can standardize how we do that, the more effective and efficient we get. Part of that means, we need to have software that takes into account that it will have to operate in some of those environments.”

He says software that can run well on lower bandwidth is a good thing all around as more devices and applications requires additional bandwidth.

Halvorsen didn’t offer any time table when he would issue these new policies.

In the end, Halvorsen said the goal is to reduce the number of DoD networks, understanding that getting down to one or a small number may not be realistic even in the long-term. But by implementing the standards under the JIE, the military services and agencies will be able to share data more easily and have better capabilities across the department.

Business data benchmarking underway

Halvorsen said he also wants DoD to do a better job aligning network investments, which means having the data and trust to exchange data.

“The DoD CIO in conjunction with the DoD deputy chief management officer is undertaking a review of the business systems and the processes of the fourth estate—that’s all the principle staff agencies like Acquisition, Technology and Logistics,” he said. “Within that, we are doing some data benchmarking. That can be everything from what do we spend on certain contract items, what do we spend on contract labor, how are we doing spending our dollars on civilian manpower with normal grade structures. All of that data, sharing that, starts to get you to more open exchange of dialogue because you can see some of those advantages to those changes. That is part of a Joint Information Environment.”

Halvorsen said they are benchmarking business data for two reasons: One because for the most part it’s common among all services and agencies, and second because it’s low risk data that can be shared and stored in the cloud.

Risk is playing a bigger role in DoD’s decision making process when it comes to how it modernizes its networks.

Halvorsen said DoD’s new security architecture, called the Joint Regional Security Stacks (JRSS). The Army has been out in front of implementing the JRSS over the last few years, but now the concept is expanding quickly across the military.

Halvorsen said part of that expansion is the JRSS-plus concept, where the plus is ensuring DoD has the bandwidth to take advantage of the new security capabilities.

“In the end, it should reduce the number of firewalls we have. It should give us not just enhanced security — it will do that — but maybe the more important fact, it will improve our ability to defend because it will make us more agile in our responses,” he said. “It will give us the ability to see centrally and then share up and down what the states of the network are much better than we can do today by eliminating some of the physical surfaces we have. We will close some of the attack vectors once we get this done.”

Switches, routers in need of an upgrade

Halvorsen said DoD also will implement a commercial software called the Joint Management system, which is a switching capability that includes a set of cyber tools. The tools will give DoD a shared view of the health of its networks, which will let it take actions to fix problems more quickly.

Halvorsen said he also expects DoD to pay less for network security. How much less, he’s not quite sure just yet.

He said the criteria to determine how much the JRSS-plus concept will cost is still going through the development process. Once he’s comfortable, there will be a meeting with Adm. James Winnefeld , the vice chairman of the Joints Chiefs of Staff, and Bob Work, the deputy secretary of Defense, to determine if this is the right direction for DoD.

Now at the same time, Halvorsen said DoD is heading down another path toward better network security and performance.

“To look at our basics sets of infrastructure, and what I’m really focused on here, to put it in something more understandable, is our switches and routers. We have, candidly, some outdates switches and routers. And one of the things haven’t done enough of yet that we are going to take a look at is how do we take our current legacy switches and routers and invest again in a more agile, responsive software-defined environment,” he said. “This really gets to how do we get to a network environment that is managed with switches and routers that I can address from a software standpoint–again, quickening my response time because it’s not a hardware change when I need to update. We’ve got to do that. We’ve got to embrace what I would call software-defined vision of where we have to go with the network and that includes all of the infrastructure on your network.”

The third piece of this effort is to put more of the network running over IP. Halvorsen said not everything will run over IP, but the goal is to get about 90 percent of all DoD networks to use this technology.

Halvorsen added DoD also will take advantage of the network upgrades to bring more mobile capabilities, including smartphones that can handle classified data, and hardware and software using open standards.


DoD finalizing tech specs for Joint Information Environment

Army gets the green light for major IT security reorganization

Halvorsen named as acting DoD CIO