Efficiency and effectiveness, being risk aware part of DoD acting CIO’s cyber priorities

Acting Defense Department Chief Information Officer John Zangardi’s first three months on the job have been busy with redefining cyber responsibilities, learning how to “speak warfighter,” and improving Defense Travel System services — and that’s just short-term efforts.

Speaking at the May 2 Adobe Digital Government Symposium, Zangardi laid out his priorities for DoD’s cybersecurity and IT systems.

Zangardi said maximizing lethality and capability top the list, followed by reducing and protecting the attack surface, driving effectiveness and efficiency, and understanding the DoD IT architecture.

“A task we have in IT is to drive efficiencies,” Zangardi said. “The reason we want to drive effectiveness and efficiency is to get that capability out to the warfighter, to make sure they have the command and control assets they need to do their daily job,” Zangardi said. “More importantly, if we can free up dollars that can be put into the procurement of planes, or ships or tanks or bullets, that’s a responsibility we owe to the American taxpayer. So being more effective and efficient in our utilization of modern IT; making sure our folks have the right tools so they can accomplish their job is inherent in what we have to do to go forward.”

Advertisement

Zangardi said he would also be focusing on DoD’s move to Windows 10, an effort championed by former DoD CIO Terry Halvorsen, who left in mid-February.

“The objective is to be done and in our networks by the end of this calendar year,” Zangardi said. “That is a challenge that we’re still working to meet. It’s important to get Win 10 out there because it changes how we do business.”

Windows 10 is an evergreen product, he said, which is important because it helps DoD stay current and also requires a look at processes for certifying applications or an operating system to run on the network.

“Because it’s evergreen, updates are coming continuously,” Zangardi said. “Win 10 is also important as an enabler for our enterprise vision. As we’re looking to the future we want to do something called DEOS, defense enterprise office system. We want to move to a more modern office suite.”

Reporter Meredith Somers discusses this story on Federal Drive with Tom Temin

DEOS would integrate things like voice, video, email, content management and other communication devices into one seamless, unified client.

There needs to be more collaboration, mobility and digital transformation and Windows 10 is the base for that, Zangardi said.

Zangardi said DoD got about 17 responses to a February draft RFP for the Unified Capabilities (UC) contract award. While some are pushing for a May final RFP, “we’re probably looking more like June.” Zangardi said.

“What it would allow us to do is increase security; modern operating system, modern office system, continuous evergreen updates,” he said. “It increases our efficiency because we’re going to change the way we do things.”

Zangardi said DoD was also looking at updating its cybersecurity scorecard.

The first version measured 11 things and it was static and relied on self-reporting, Zangardi said.

Some of those things included ensuring that:

  • Host-Based Security Systems (HBSS) are implemented.
  • Every computer is (a) properly patched and (b) properly configured.
  • All internet-facing web servers are moved to approved demilitarized zones.
  • All (a) Windows XP, (b) Windows server 2003, and (3) older operating system software is removed from both the unclassified and classified networks.

“It was a move from not knowing what you have, to beginning to know what you have, and when you can measure something, you can do something about it,” Zangardi said. “Because we measured things, we could cajole people, we could encourage people to do the right thing, to make the investment.”

But the way those items were measured wasn’t dynamic, Zangardi said, which is why 2.0 will be more about automated reporting and looking at things like a heat map, “so we understand the threat better.”

“So we want to improve what we’re doing, drive higher standards,” he said. “But we want to be dynamic, we want to be able to get to the latest information about our network quickly.”

Zangardi also spoke about having to understand the cost of the IT enterprise, and developing cost accounting codes across the department to better understand where IT dollars are going.

Zangardi said he’s been busy defining cyber responsibilities, a task designated to the DoD CIO in last year’s National Defense Authorization Act, to look at cyber and information resources — mainly focused on the Office of the Secretary of Defense — and improve organization.

Zangardi said he’s working closely with National Security Agency Director Adm. Mike Rogers, and the effort has been ongoing for about two months.

“We have to work through all the stakeholders who have significant equity in things related to cyber. The objective here is to clean up the roles and responsibilities and make sure we have the right organization at the OSD level to go after this,” Zangardi said. “That’s phase one in what’s required by law. Admiral Rogers and I want to extend out to a phase 2 and 3, where we start looking at [U.S] Cyber Command and down, to make sure that we’re organized right out in the field, so the effort will extend after we meet the legislative mandate.”

Zangardi said there is also a push to be better at speaking “warfighter.”

“We can’t quantify what we do,” Zangardi said. “It’s hard to do in IT. We have to be better at coordinating and collaborating. Coordinating and collaborating means understanding what everyone wants and trying to capture that. And when things go bad, work to fix it.”

Zangardi said it’s important to be “risk-aware, not risk-averse.”

 An example of this was learning from electronic health records and the cloud. Zangardi said he signed an authority to operate about six weeks ago that puts health information about active-duty military members and their families, and retirees, into the cloud.

“We’ve got a duty to protect that data,” Zangardi said. “And as we progressed down that road, we worked very closely with industry, and working very closely with industry taught us a lot. And I think it taught industry a lot, too. We changed how things were as we went forward to make sure that we were protecting that data. There’s still a lot of work to do, but the things we learned from that indicate to us that a lot of the security procedures we put in place — I’m not saying they’re all right — are important for protecting important data.”

He also said modernization is important. He said two weeks ago he put out a pilot for commercial applications for the Defense Travel System.

Zangardi said he’s got a security team assessing how the application would protect customer data. Even though there isn’t a lot of personally identifiable information, it is in there, “and we do have to protect that,” Zangardi said.

“Our approach will be one of risk-aware versus risk-averse,” he said. “We need to modernize the Defense Travel System. We have to make it better, because right now they’re not happy with this. What we’ll achieve there when we get it in place, is a better experience, hopefully save money, and provide more security. “