No-longer-acting Pentagon CIO holds forth

Defense Department CIO Terry Halvorsen is planning a pilot project to support his case for more public-private data centers, he told FCW on March 9.

The Pentagon's IT chief said he hopes to have a pilot running by the end of the summer in which a private firm offers data distribution services at a government facility while still serving outside, commercial customers from the same site. "I do believe that if we can pull this hybrid [data center model] off, we will meet the standards, and we will absolutely lower the cost of operation," he said.

There may be some legal restrictions on data-storage firms serving outside clients from Pentagon facilities, Halvorsen said, explaining why he recently asked Congress to consider drafting legislation to help facilitate public-private data centers. The pilot project could clarify what legislative help the Pentagon might need on data centers, added Halvorsen, who spoke to FCW a day after he was made the full-fledged DOD CIO rather than the acting one.

The Pentagon needn’t wait for Congress to act to make some policy changes on data centers. The DOD CIO said he is working with the military services to come up with performance metrics for consolidation.

"I want a set of metrics that says I have absolutely reduced the cost of the operation and have ensured that the data is protected at the appropriate level," Halvorsen said, while noting that reducing the number of servers used by an organization does not guarantee a reduction in operating costs.

Won’t back down

Since becoming the Pentagon's top IT official in May, Halvorsen has made a point of trying to speed adoption of commercial cloud while also being blunt with cloud providers on his department’s security requirements.

At the first DOD cloud industry day in January, Halvorsen called on cloud providers to own up to the unique "political liability" that comes with handling sensitive DOD data.

"It's about trust, in that industry has to trust I'm being as transparent as I can be, that I'm not making these requirements up on the fly," he told FCW, adding that aside from his public speeches, he speaks with cloud providers one-on-one on the subject.

Halvorsen said he welcomes suggestions from cloud providers on new approaches to meeting security requirements, but added: "What I can't do – and what I won't do – is back down" on data security and liability requirements.

If a cloud provider loses DOD data, there is a protocol for notifying those affected by the data breach, providing evidence that the breach won’t happen again and documenting the extent of the data loss, according to Halvorsen. Those criteria require the cloud provider to have "enough control systems in place to be able to answer those questions," he said.

When asked whether firms might ditch the DOD cloud market over the strict security requirements, Halvorsen said he was unconcerned by that prospect. "It's a lot of money and I'm convinced that that will motivate them," he said -- along with a sense of duty to the country.