DISA and DOD work through shared pain points

The Department of Defense's Joint Information Environment campaign to standardize systems and move to shared services is demanding what is sometimes painful change within the Pentagon, the services and the Defense Information Systems Agency.

A number of current and former senior officials in the Pentagon have told FCW in recent months that "DISA needs to step up its game" when it comes to building joint infrastructure and providing better speed through cloud access points, for example.

Recently retired Air Force CIO Lt. Gen. William Bender told FCW in March 2017 that as the DOD moves toward using more commercial solutions, DISA should focus on "standards and oversight, not on contracting, which has been a DISA weakness."

But in a media roundtable at the AFCEA Defensive Cyber Ops summit in Baltimore, DISA officials said they have been making progress in becoming more agile -- both in terms of contracting and in delivering capability to the customer.

And they said that some of the friction between DISA and its customers is a natural byproduct of developing joint infrastructure for a range of organizations that have historically wanted proprietary systems.

"They're looking for something unique that is specific to their mission or their service or whatever, and we've got to make sure that we're addressing it from a holistic enterprise solution," said Alfred Rivera, DISA's Development and Business Center director.

He pointed out that the Trump administration's cyber executive order also stressed the move to cloud and shared services, and everything is going to move in that direction.

"It is a balancing act with our customers … at the architectural and agility level," Rivera added. "I see it continuing to be a work in progress with the customer."

"You've got to have thick skin because I've never seen anybody that loves the people that actually provide the services on an IT standpoint," said DISA Cyber Development Executive John Hickey.

He said that he understands the tension given his service background. DISA has to protect the network, and at the same time, he said, it must understand the customer needs -- for example the constant demand for more bandwidth.

"[U.S. Cyber Command Director] Adm. Rogers says, 'I can't see the network, I can't defend what I can't see at an operational level,'" Hickey said. "We've got a lot of talent that sits on Fort Meade that's got to be able to see the network to defend the network. We can do some of that at perimeter and other points, but we still have challenges at the endpoint."

"As we look at some of the adoption of the cloud, it's really new for everyone," said DISA's Risk Management Executive Roger Greenwell. "So we're all working together to figure out, how is it that we should work adoption of the cloud?"

DISA officials added that their two-year-old reorganization has increased agility and helped DISA move from its past as an organization that focused on fixed-point infrastructure to one that is increasingly developing mobile solutions for the warfighter.

They said the agency is now more streamlined with better centralization that increases oversight and provides customers with single points of contact.

In addition, DISA is focusing more on a risk management approach and trying to speed getting new technologies into a testing environment.  

"What level of risk do we want to assess?" Greenwell asked. "Do we really want to focus our efforts on certain documentation, or do we really want to focus on what is the real risk of putting that into some form of environment?"

One capability DISA is hoping to move out soon is the replacement to the Common Access Card. DOD has been pushing for a new system of identity management in the form of a suite of behavioral and biometric measurements -- from fingerprints to movement characteristics -- that will increase security, access control and mobility.

DISA said that it is using Other Transactional Authority to speed the development of a CAC replacement in the form of a chipset.

"I think you'll see something in the near future that kind of gives us a path of really getting down to the chip level to generate a certificate and leveraging our derived credential," Hickey said.