Leslie Beavers, who also served as acting DOD CIO for a period at the end of the Biden administration and during the early days of the second Trump administration, will step down as DOD principal deputy CIO at the end of September.

“The Office of the CIO would like to congratulate Principal Deputy DoD CIO Leslie Beavers who announced today that she will be stepping down from her position at the end of September after more than 30 years of uniformed and civilian service,” reads a LinkedIn post from the DOD CIO’s office. “From projects such as Mission Partner Environment and the standup of the Cyber Academic Engagement Office to work to accelerate Identity, Credential, and Access Management enterprise solutions, Ms. Beavers’ unique blend of uniformed, civilian, and private industry experience drove success and innovation.”

Beavers also played a key role in the Office of the CIO’s delivery of its Fulcrum IT strategy in 2024 with then-CIO John Sherman.

In an exclusive interview with DefenseScoop, Beavers detailed the genesis of Fulcrum, which has become the guiding strategic framework for the Pentagon’s IT modernization.

“It was really important to crystallize the department’s vision into what success looks like, which is what we are attempting to do here in Fulcrum because I am trying to get program managers across the department — not just within the CIO organizations, but in all the different weapon systems program offices — to make decisions a little differently, to make them with the user experience in mind, to make them with interoperability as a priority first and really defining what success looks like, and giving them that vision,” she said.

When Sherman stepped down from the CIO role at the end of June 2024, Beavers filled it temporarily until Katie Arrington was appointed to perform the duties of CIO in March. Since then, Beavers retained her deputy role, supporting new efforts under Arrington’s leadership like the Software Fast Track initiative and “blowing up” the Risk Management Framework.

It’s unclear what Beavers’ next role will be after her departure or who will take her place when she officially leaves. DefenseScoop reached out to the Pentagon for comment.

Prior to serving as principal deputy CIO, Beavers was director of intelligence surveillance and reconnaissance enterprise capabilities in the Office of the Under Secretary of Defense for Intelligence & Security and an intelligence officer in the Air Force at the rank of brigadier general. She also held roles in the private sector with GE and NBC Universal.

The post Deputy CIO Leslie Beavers leaving DOD appeared first on DefenseScoop.

The DOD Office of the CIO announced the move by Secretary of Defense Pete Hegseth to place Arrington as the acting CIO in a post on LinkedIn. The post also confirmed that Leslie Beavers, who had been acting CIO since John Sherman left the role last June, will return to her primary role as principal deputy CIO.

“In this capacity, Ms. Arrington serves as the primary advisor to the Secretary of Defense for information management/Information Technology (IT); information assurance, as well as non-intelligence space systems; critical satellite communications, navigation, and timing programs; spectrum; and telecommunications,” per the LinkedIn post.

A defense official confirmed Arrington started in the role Monday.

The Pentagon CIO is a presidentially appointed role that requires Senate confirmation. It’s unclear if the Trump administration plans to nominate Arrington to the role, and the defense official did not comment when asked about the possibility.

Arrington returned to the Pentagon as CISO on Feb. 18. During the first Trump administration, she served as chief information security officer for the department’s acquisition and sustainment directorate and was regarded as a key architect of the department’s Cybersecurity Maturity Model Certification program, which aims to improve the cybersecurity posture of the defense industrial base and contractors by requiring minimum cyber standards to win contracts.

The final rule for the CMMC program went into effect last December.

Arrington is also known for her political career, running for Congress as a representative for South Carolina’s 1st District in 2018 as a Republican, during which she earned President Donald Trump’s endorsement. However, she lost that race to Democratic nominee Joe Cunningham.

Her tenure during the Trump administration was also marked with controversy. In 2021, Arrington was placed on leave in connection with an alleged unauthorized disclosure of classified information from a military intelligence agency and her security clearance was suspended. She eventually settled a lawsuit over the matter against the DOD in 2022 before announcing another bid for Congress that year.

The controversy surrounding her security clearance became a key discussion point in her run for the House, and she lost the Republican primary to Nancy Mace, who was ultimately elected into office.

The post Katie Arrington named acting Pentagon CIO appeared first on DefenseScoop.

In the Defense Department, the term “zero trust” refers to a nascent cybersecurity framework and set of 152 activities collectively meant to enable non-stop monitoring and constant authentication to secure critical national security data and information. As its name suggests, the zero-trust concept assumes all networks are compromised from the get-go.

During FedTalks 2024, hosted by Scoop News Group on Tuesday, Les Call — director of the DOD’s Zero Trust Portfolio Management Office — provided the latest update on his team’s unfolding pursuits to drive this implementation, and to continue “progressing at a fast rate.” 

“One of the things about a freight train is, once you get it going, you can’t stop, or it’s very, very difficult to stop. That’s the momentum that we’ve created, and that’s what we’re trying to do,” Call said.

The Biden Administration issued an executive order in 2021 mandating the federal government to secure cloud services and other assets via approved zero-trust approaches. Not long after that, in 2022, DOD’s then Chief Information Officer John Sherman set the department on an ambitious path to implement a fully zero trust-based architecture across its sprawling enterprise by 2027.

Call said Pentagon officials are working closely with a range of industry partners and representatives, including the Cloud Security Alliance, to pinpoint compliant capabilities that can accelerate DOD components’ paths to fully achieving zero trust.

“2024 was the year of concepts. We put together 18 proof of concepts, and three of them we’ve completed. One we’ve actually assessed — and that’s the Navy’s Flank Speed, which assessed the Microsoft cloud service provider network, which was very favorable in zero trust,” Call explained.

He confirmed that his team has also recently linked up with MIT Lincoln Laboratory to put together what he said will be “a proving ground” to continue to assess solutions. 

“We’re actually working on right now and finalizing an actual assessment standard, because you can’t assess zero trust the way you would do a normal red team assessment,” Call said.  

Although he did not provide further details on that effort, Call highlighted some of the CIO’s early progress on zero trust to date. However, he also emphasized the challenges that accompany “changing the culture” of how the Pentagon operates, particularly in terms of technology acquisition and cybersecurity at scale. 

Following Sherman’s recent departure, Principal Deputy Chief Information Officer Leslie Beaver stepped in as acting CIO and subsequently rolled out the department’s new IT advancement strategy called Fulcrum.

Call said that Beavers had been “quietly working on” Fulcrum for two years. The strategy broadly places a sharp focus on agile processes and user experience, and outlines concrete metrics for officials to track tangible progress.

“And so as her philosophy lined up with what we’re doing, it now gives us the opportunity to utilize the hammer — that’s the CIO’s office — to affect this culture change,” Call said.

Before joining the Pentagon in 2023 as its “orchestrator for zero trust,” in his words, Call served as the White House National Security Council’s IT director.

“The DOD is the largest federal organization. When you think of your services, your military including the National Guard and Reserves, you’ve got over 2 million people, over 750,000 civilians made up of 43 separate components — and that covers more than 500,000 facilities across the world. And when you think about securing that vast space and how difficult that is — not to mention what a target that we are — it’s a pretty traumatizing task. And that’s kind of what I thought when I first was introduced a little over a year ago,” he noted.

Still, these measures and the ambitious approach are necessary to deter adversaries like the Chinese government, which Call said is operating on “correlating timelines” as DOD regarding cyber threats and security.

“All of your major [U.S.] intel organizations have reported to Congress to say, ‘Hey, there’s this group called the People’s Republic of China, and they’re involved in all of our critical infrastructure and, oh, by the way, they’re doing this philosophy, which we call Living Off the Land where they’re just kind of camping out, and they’re waiting for the word so that they can create social havoc — meaning you and I could wake up one morning and we have no cell service, we have no power, and the water tastes like chlorine, so we can’t drink it. And then what do we do?’” Call said.

The post DOD putting final touches on new zero trust ‘assessment standard’ appeared first on DefenseScoop.

He entered the role in December 2021, a tumultuous era marked by controversy over the Joint Enterprise Defense Infrastructure (JEDI) cloud effort. In the midst of the fallout, Sherman recognized that the department needed to pivot.

“I truly felt we were figuratively fighting and dying on a hill not worth fighting and dying on,” Sherman told DefenseScoop. “All this litigation that we were stuck in and back-and-forth between the several cloud service providers, I felt we were all expending energy against the wrong goals.”

Six months into his tenure as DOD CIO, he made the recommendation to cancel JEDI — a program that sought a single vendor for the Pentagon’s first enterprise cloud capability — and pivot to a multi-vendor acquisition process under what is now known as the Joint Warfighting Cloud Capability (JWCC).

“That, to me, has been the flagship or one of the top achievements I’ve had as CIO,” Sherman said.

Sherman announced June 6 that he would be departing as Pentagon CIO by the end of the month, moving into a new role at Texas A&M University, his alma mater, as the Dean of the Bush School of Government and Public Service.

During an exit interview with DefenseScoop on Monday, Sherman reflected on his nearly three-decade career in government where he often campaigned for novel approaches and technologies to accomplish missions.

“Anytime you’re doing something new, you’re gonna break some glass doing it,” he said.

A ‘digitally focused’ IC

After serving in the Army as an air defense officer in the 24th Infantry Division, Sherman said he was interested in working in the intelligence community and initially applied to be an all-source analyst at the Central Intelligence Agency.

But when he received his interview package, he was sent to Building 213 in Washington, D.C.’s Navy Yard where the DOD was standing up the new National Imagery and Mapping Agency — now known as the National Geospatial-Intelligence Agency (NGA). Sherman was hired as an imagery analyst in 1997, investigating and distributing geospatial intelligence on the Iraqi Republican Guard.

“Working that Republican Guard account for several years will, and continues to be, one of my fondest memories in the IC — working with some amazing teammates in Building 213 supporting U.S. Central Command and other entities with what I thought was insightful analysis during the no-fly-zone days, and then moving to the start of Operation Iraqi Freedom and onward,” Sherman said.

He would spend the next 23 years in the intelligence community, including as the CIA duty officer in the White House Situation Room, an all-source analyst on the National Intelligence Council and a role at the NGA Office of the Americas.

Notably, Sherman was part of the small team that was present in the White House Situation Room on the morning of the September 11 attacks on the World Trade Center.

“It was a sobering experience, but also we were honored to be there to support crisis operations on that day,” he said.

In 2014, the CIA was looking to become more “digitally focused,” and Sherman became one of two deputy directors of the CIA’s Open Source Enterprise (OSE) managing the tradecraft of open source intelligence. He led the Middle East and Asia portfolios, as well as the portfolio for emerging technologies where he first began experimenting with commercial cloud capabilities, he noted.

While at OSE, Sherman helped stand up a low-side cloud capability called the Open Source Data Layer and Services (OSPLS). The effort leveraged Amazon Web Services and other capabilities provided by the IC’s Commercial Cloud Services (C2S) program to provide a cloud-based environment for less sensitive and non-critical information.

He detailed how he also took part in the Eyesight Mission Users Group. Although the group’s focus is classified, Sherman said the experience taught him critical lessons on data standards and exactly how cloud technology works.

“What I was able to do was, as one of the initiative leaders, use open-source gathered information to feed into NSA’s gov cloud — which was their part of the classified capability — to then run the compute against this open-source information and find new things that we would not have been able to discover otherwise,” he said.

Sherman was later tapped to serve as the intelligence community’s CIO in 2017, and during his time he initiated several innovative changes that allowed the IC’s IT enterprise to evolve. 

One of those was shifting focus on a program known as the Common IC Desktop Enterprise, which initially looked to create a unified architecture that would allow analysts and officers to move between agencies without the hassle of transferring their data. Despite all of the money and time the IC had already invested into the effort, Sherman said he recognized it wasn’t working.

“It was never going to scale out to being this IC-level capability that it was envisioned to be, and so we pivoted to a federated architecture where we would have standards and then be able to accomplish some of the same interfaces — but not with this unified overall architecture that we were first going along,” he said. 

Another accomplishment as IC CIO was the creation of the Commercial Cloud Enterprise (C2E) program. The intelligence community had been using a single-vendor approach under C2S since 2014, and Sherman initiated the follow-on C2E effort to bring a multi-vendor, multi-cloud capability to the IC in 2020, with Amazon Web Services, Microsoft, Google, Oracle and IBM serving as vendors.

“I’ll also admit this freely — C2E was the model for what became JWCC at DOD,” he said.

Leaning into hard decisions

Sherman was brought into the Defense Department as the principal deputy CIO in 2020, later replacing then-CIO Dana Deasy when he left his position in 2021. Although the department was grappling with many problems with its IT enterprise then, there are still a number of other issues the new CIO who replaces him will face in the future, he said.

“I don’t know what the next hard decision is going to be, but be ready to lean into that,” he said. 

Still, Sherman touted the accomplishments he made during his time at the Pentagon, especially related to the department’s pivot to JWCC and the awards made to Google, Oracle, Amazon Web Services and Microsoft for the program at the end of 2022.

He noted that over $700 million worth of task orders across all three security classifications have been awarded through JWCC to date, with organizations like the F-35 Joint Program Office, defense agencies and combatant commands all on board with the program.

JWCC’s growth has also initiated the Pentagon’s new Joint Operational Edge (JOE) initiative to provide cloud capabilities at the tactical edge — a concept he calls the “lily pad.” One JOE cloud has already been installed at Joint Base Pearl Harbor-Hickam in Hawaii, another is coming online next in Japan, and the Pentagon is currently looking at sites for a third one in Europe, he said.

“One of the big things that we talk about a lot with cloud tradecraft is procuring cloud is not the end of the story. You have to learn how to use it, you have to learn how to apply it to your mission,” Sherman noted.

As it prepares for the next phase of the program, dubbed JWCC 2.0, Sherman has directed the CIO’s team to conduct an after-action review of the entire effort. 

“While I’m a huge fan of it, I know it’s not perfect. Because like with C2E, we’re kind of figuring out how to walk and chew gum in a multi-vendor environment,” he said. “What can we do better for JWCC 2.0? Are there things we can put into place to make [software-as-a-service] offerings easier to manage?”

Along with cloud modernization, Sherman has led efforts to improve user experience at the department by creating a UX portfolio management office at the CIO, fix the lengthy authority to operate (ATO) process in response to complaints from industry, and move the Pentagon into adopting a zero-trust cybersecurity framework by 2027.

In a statement to DefenseScoop, Deputy Secretary of Defense Kathleen Hicks praised Sherman for positioning the department for success while he served as CIO.

“John tackled some of the most complex challenges in the Department during his tenure, advancing the Department’s information advantage and improving our decision superiority, from the combatant commander down to the platoon leader,” Hicks said. “His leadership on ground-breaking initiatives such as the Joint Warfighting Cloud Capability, Zero Trust Architecture, and the Emerging Mid-Band Spectrum Sharing assessment materially strengthened US national security.”

A key challenge for the department moving forward will be to ensure it is modernizing at the pace it needs to, all while leveraging industry capabilities when it can, he said.

“As we talk big thoughts about edge cloud and transport and zero trust, never forget that it comes down to a service member’s ability or civilian’s ability to do their job — not only at the Pentagon, but out at Osan Air Base in Korea, or onboard a ship in the Red Sea, or at a special forces detachment in Africa,” Sherman emphasized.

Another will be tackling the Pentagon’s growing tech debt, he added. Warfighters are still using a lot of outdated technology from previous conflicts in the Middle East, and Sherman noted that understanding that priority and leveraging the entire enterprise to address it quickly is crucial for the department.

“We’ve got to pay the piper on this because in the digital battlefield that we’ve seen in places like Ukraine and what we could have to face in the western Pacific, these digital IT capabilities are war-winning technologies,” Sherman said. “It’s not just blinky lights and data centers, this is the difference for decision capability for our commanders.”

When asked what advice he would give to the next DOD CIO, Sherman emphasized the importance of working as a team with all of the departments and components at the Pentagon, as well as collaborating with industry as much as possible.

Leslie Beavers, DOD’s principal deputy CIO, will serve as acting CIO as Sherman departs until the department makes a decision on a full-time replacement.

He also pointed to the importance of strong leadership when making hard decisions and setting a clear north star for some of the departments where change might be a heavy lift.

“This has been the greatest opportunity I’ve had professionally, but also I’d be lying if I didn’t say it’s the most challenging,” Sherman said. “So that would be my advice to the next CIO: Buckle your chin strap and get ready, because this is going to be a heck of a ride.”

The post From Building 213 to the Pentagon: John Sherman reflects on his legacy in government appeared first on DefenseScoop.

In a May 23 memo with the subject line, “Unauthorized Disclosure Due to Typographical Errors,” which was recently cleared for public release, the Pentagon CIO highlighted an issue that was in the news last year and appears to be an ongoing problem.

“The Department of Defense (DoD) has been encountering typographical errors that mistake the .ml domain for the .mil domain. Such errors could result in the misdirection of emails intended for a DoD (.mil) recipient to an unintended recipient on Mali’s sovereign ‘.ml’ domain. More important, such unintended misdirection of email could result in unauthorized disclosure of Controlled Unclassified Information. While this type of unauthorized disclosure is different from intentional and illegal disclosure of classified materials, the Department still takes very seriously all kinds of unauthorized disclosures of Classified National Security Information or Controlled Unclassified Information,” Sherman wrote.

“The DoD therefore requests that all U.S. departments and agencies, international allies and partners, and members of the defense industrial base exercise vigilance and take policy and technical measures to prevent typographical errors that could result in unauthorized disclosures. For its part, the Department implemented technical controls to block emails originating from the DoD network to the entire .ml domain, while retaining the ability to allow, by exception, legitimate emails to the .ml domain,” he added.

Last summer, the Financial Times reported that “millions” of emails intended for Defense Department employees ended up in the wrong place because of the domain mixup.

At a July 17, 2023, press briefing, Pentagon Deputy Press Secretary Sabrina Singh was asked about what the department was doing to mitigate the problem.

“We’re aware of these unauthorized disclosures of controlled national security information,” she said. “We’ve implemented policy and training mechanisms and put them in place. And in terms of what we have here on the DOD systems is that when you send an email from a DOD email address, and you send it to a .ml email address, it will bounce back. So, a DOD email address will not be able to send to that email address.”

However, that move didn’t completely fix the problem across the board.

“We can’t control how other domains and how other websites send information. So, if an email was sent from a personal Gmail or Yahoo account that did likely go through to the .ml account, all we can do is account for our DOD assets, and ours remain intact,” Singh said during the briefing.

Sherman’s recent memo is aimed at getting other organizations to also put in place more effective controls.

“We value your partnership in support of the Department’s missions and thank you for your continued efforts to safeguard our military and national information,” he wrote.

Sherman is set to depart from his role as Pentagon CIO at the end of the month to serve as the next dean of the Bush School of Government and Public Service at Texas A&M University, his alma mater.

David McKeown, the deputy CIO for cybersecurity and chief information security officer, is listed as the department’s point of contact for the typo issue outlined in Sherman’s memo.

The post Pentagon CIO tells agencies, industry to put a stop to email typos that could disclose sensitive info appeared first on DefenseScoop.

He will head off to Texas to serve as the next Dean of the Bush School of Government and Public Service at Texas A&M University, his alma mater, according to a post on LinkedIn.

Sherman has been the only Senate-confirmed CIO for the Pentagon during the Biden administration, having come to the role after a long career in the IT space for several national security organizations and most recently as the CIO of the intelligence community.

“Mr. Sherman has been a steadfast advisor and an innovative leader who has helped the Department adopt and utilize modern information technology to keep our country safe. His technical expertise has proven invaluable in tackling a variety of digital challenges. His focus on mission readiness has ensured that each of the Services is equipped with both the capabilities and the digital workforce necessary for modern warfighting,” Austin said in a statement Thursday. “Under his leadership during the past two and a half years, the Department has restructured its approach to cybersecurity. Today we are better positioned to take advantage of technological developments and respond to digital threats. And we’re working with our international partners to set the global rules and standards for responsible cyber practices for generations to come.”

Sherman’s initial tenure was marked by the significant shift of the DOD from the marred Joint Enterprise Defense Infrastructure (JEDI) cloud effort that sought a single vendor for the Pentagon’s first enterprise cloud capability. The department decided to move away from JEDI into a multi-vendor acquisition process under what is known as the Joint Warfighting Cloud Capability (JWCC).

Four vendors — Google, Oracle, Amazon Web Services and Microsoft — were awarded under that effort in late 2022. Over 80 task orders with a total value of more than $600 million have been awarded to date.

Sherman has also overseen the DOD’s efforts toward a “zero trust” framework to better protect networks and data from unauthorized disclosures, leaks and adversary activities to steal sensitive information. Zero trust is a cybersecurity concept and framework that assumes networks are already compromised and require constant monitoring and authentication to protect critical information.

The Pentagon released its zero trust strategy in 2022 that sought to outline “target levels” of zero trust, a minimum set of 91 capability outcomes that agencies and components at the department must meet to secure and protect networks, and reach that no later than Sept. 30, 2027.

Most recently, Sherman unveiled a process across DOD to allow one organization’s authorization on the network to be honored by others, dubbed reciprocity.

The Pentagon announcement did not say who will be performing the duties of CIO after his departure. Leslie Beavers is currently serving as the principal deputy chief information officer.

The post DOD CIO John Sherman departing at the end of June appeared first on DefenseScoop.

In an interview last week on the sidelines of the annual GEOINT Symposium, the CIO provided new details about his team and the tech vendor’s ongoing response to that massive, but still publicly murky, data breach incident.

“I want to emphasize that Microsoft did a thorough after-action review to determine what happened on that, and to ensure it wouldn’t happen again,” he told DefenseScoop, adding that due to sensitivities he couldn’t elaborate on what was found.

Broadly, Sherman’s responses suggest there’s still much to be revealed regarding the incident’s scope and Microsoft’s immediate handling of the data compromise, which impacted thousands of current and former Defense Department employees, job applicants and partners in February 2023 — though most weren’t alerted about it until a year later.

“I’m not going to be able to confirm which DOD components were affected,” he said in the interview.

As DefenseScoop initially reported when this security incident first came to light, heaps of emails containing ​​personally identifiable information (PII) were inadvertently exposed and accessible online via commercial servers for a little over two weeks.

Although Sherman and other senior officials would not confirm the DOD organizations that had emails and other records unmasked in the breach, screenshots that an independent security researcher shared with DefenseScoop of the data present on the Microsoft server when it was exposed online show sensitive details associated with U.S. Special Operations Command personnel.

The text included multiple military officials’ names, spouses’ names and addresses — and also detailed a variety of other personal information including but not limited to their religious preferences, the churches they attend, their pets and overall deployment history. 

“What I will tell you is that we worked very closely with Microsoft on this to see what happened. They were very forthcoming about what happened, and they adjusted their procedures to make sure that this would not happen again, in terms of the personally identifiable information, or PII that was compromised,” Sherman told DefenseScoop.

“And so this isn’t us raking them in over the coals or anything like that, but we had some very candid discussions at my level to protect our service members and civilians. But I will not be able to go through the affected entities within DOD,” he added.

Sherman said he wanted to give Pentagon Deputy Chief Information Officer for Cybersecurity David McKeown and his team “a shout out” for working closely with the impacted military components and Microsoft to respond to the incident.

In September 2023, the department awarded an identity protection services-focused contract for a vendor to notify and support all individuals who had data unmasked in the breach.

Sherman could not immediately confirm whether everyone involved has been notified of the exposure to date. 

He also wouldn’t supply in-depth information regarding what was believed to be the original cause of the data spill, though he broadly pointed to “cyber hygiene and configuration management.”

“I won’t get into a lot of details. This is just kind of, from my words, just kind of [about] good housekeeping here of procedures and adhering to procedures. And again, Microsoft, the vendor, has been very transparent on this — as with any entity that’s gone through something on being forthright on what needed to be fixed. [The DOD’s zero-trust concept] is kind of about this. But part of this is just when you say you need to do A, B, C, and D, you have to do those things — and double check it to make sure all the barn doors are closed, that should be closed,” Sherman said in the interview.

On Tuesday, a Microsoft spokesperson declined to comment.

The company is one of four major U.S. technology giants competing for individual task orders to ultimately provide the Pentagon’s envisioned enterprise cloud capability that will underpin vital data workloads to enable future military operations.

The post Post-data breach, DOD held ‘very candid discussions’ with Microsoft appeared first on DefenseScoop.

In 2023, DISA began its Joint Operational Edge (JOE) initiative, envisioned as an integrated mesh of edge computing platforms located at Defense Department sites that could provide cloud capabilities overseas. The agency then launched different beta programs to test and scale its OCONUS cloud offerings, one of which is a version of the Stratus private cloud capability at Joint Base Pearl Harbor-Hickam in Hawaii in support of operations in Indo-Pacific Command’s area of responsibility.

Col. Jeffrey Strauss, DISA’s acquisition deputy for programs, said that while the overall effort is going well — with one of the OCONUS cloud offerings already being used to its maximum capacity — the agency is competing for funds to do more.

“There is a demand [and] appetite to do more and to prototype some new ones,” Strauss told DefenseScoop on Friday during an event hosted by Washington Technology. “The challenge there is we don’t have a lot of free capital for DISA to invest if we don’t know we have a customer.”

Part of the strain comes from the large amount of infrastructure and capability that DISA must allocate money towards maintaining, Strauss explained. A significant portion of the agency’s annual budget is eaten up by operation-and-maintenance funding to sustain current ops, which restricts how much money it can dedicate to new investment in its research-and-development portfolio, he said.

For example, DISA requested $2.6 billion in its O&M budget for fiscal 2025 and just $258 million for R&D projects.

“When you have this big sustainment bill and it grows, what gets pressured is investments into new things,” Strauss said.

As a combat support agency to the entire Defense Department, DISA also receives money from the other components via the Defense Working Capital Fund, a type of revolving pot of money that supports buying and selling of services across the Pentagon. Individual agencies put a portion of their budgets into the fund, which is then used by DISA to perform the specific services that others order from them.

Strauss indicated that although DISA hears the demand for OCONUS cloud capabilities from the military services, that doesn’t necessarily translate into what they provide financially — creating another barrier in deploying more cloud capabilities outside of the United States, he said.

In a separate interview with DefenseScoop, DOD’s Chief Information Officer John Sherman noted that OCONUS offerings weren’t initially part of the Pentagon’s push to deploy enterprise cloud capabilities under the Joint Warfighting Cloud Capability (JWCC).

However, there was recognition that future operations in the vast distances of the Indo-Pacific might require additional infrastructure, he said.

“JWCC’s infrastructure is in the continental United States, and the cloud service providers have edge capabilities that you could carry around in a [Joint Light Tactical Vehicle] or maybe even a personal portable sort of thing,” Sherman said Wednesday on the sidelines of the GEOINT Symposium in Florida. “There’s a real tyranny of distance from the Marianas Islands all the way back to California or Arlington, Virginia. You need a lily pad somewhere so you don’t have to backhaul the information.”

The larger JOE program is tackling how to provide those cloud capabilities to warfighters operating in remote locations. Along with the initial prototypes for Indo-Pacom, Sherman said his office is already looking at other deployment options in the Western Pacific, Europe and elsewhere.

“Part of this is cloud tradecraft. We’re learning this as we go along here with the intelligence community to figure out how to do cloud capabilities from the continental United States out to the tactical edge,” he said. “JOE cloud is one of those things we’ve learned that we need in place to have that sort of connectivity.”

DefenseScoop reporter Brandi Vincent contributed to this story.

The post Despite demand, DISA financially constrained to scale cloud capabilities overseas appeared first on DefenseScoop.

“We are going to call it ‘Fulcrum,’” CIO John Sherman told DefenseScoop in an interview on Wednesday. “The June time frame is when you’ll be seeing some release on that. So, we’re polishing it up and getting it ready.”

The forthcoming document, which Sherman also discussed during his keynote at the GEOINT Symposium, is one of multiple fresh policies and resources his team has been preparing to address issues that continue to impede digital modernization and innovation across the department.

“It represents the department’s ambitious Information Technology (IT) Advancement Strategy designed to leverage the power of technology to drive transformative change and serves as a tipping point for catalyzing digital modernization for the warfighter,” DOD spokesperson Cmdr. Tim Gorman told DefenseScoop in an email on Thursday.

In the interview with DefenseScoop, Sherman elaborated on how the new guide has been coming together.

“We brought together a multidisciplinary team from not only the military services, but some of the other agencies, like the Defense Contract Management Agency, etc., for several on-sites to flesh this out,” he explained.

The Fulcrum strategy will build on the DOD’s 2019 defense modernization strategy, which Sherman said was the flagship document. He confirmed that the Pentagon’s Deputy CIO Leslie Beavers has been leading the development of the new plan, and in doing so she’s working closely with the department’s Customer Experience Officer Savanrith “Savan” Kong.

“This [digital modernization strategy] isn’t going to just be [structured] by functional area, it’s going to be cross-cutting. As we look at different lines of effort like providing capabilities and expanding the Joint Force and combined force dominance, modernizing information networks, IT governance, and building the digital workforce — not just cybersecurity, not just C3, not just cloud,” Sherman said at the GEOINT Symposium.

“And a key enabler in this has been our Customer Experience Office, or CXO. We’ve all heard about the ‘fix our computers’ issues. We took this seriously and we brought some super experts back in from industry and elsewhere as we got after this, and we started to solve hard problems,” he added. 

Sherman entered the intelligence community in 1997 as a CIA imagery analyst assigned to what was then known as the National Imagery and Mapping Agency. That hub morphed into the National Geospatial-Intelligence Agency, or NGA — and there, Sherman went on to serve in a host of senior executive positions associated with data collection and analysis, homeland security, and more, before he was tapped as DOD’s top IT official.

“As I think about future information technology, again, I harken back to very much of my time in NGA. [The agency] has always had a reputation for being out at the edge. I think about the thousands of deployers NGA has sent downrange over the years, along with our industry colleagues — whether it’s Iraq, Afghanistan, [Combined Joint Task Force-Horn of Africa], Haiti and numerous other places — we’ve always been out at the edge,” Sherman said.

Experiences at NGA “did my heart well,” he said, noting that his time there deeply informed his intent now as CIO to help enable the Pentagon to become a more “rugged, flexible, secure, and resilient” information- and data-driven enterprise.

The new Fulcrum guide is one move he’s making to ensure he can hold his team accountable in accomplishing that aim, he added.

The post Pentagon CIO previews ‘Fulcrum,’ the next digital modernization strategy appeared first on DefenseScoop.

Reciprocity essentially enables federal entities to reuse another internal or external organization’s assessments to share information — and ultimately reduce associated costs in time and investments that accompany approving IT systems to operate on the information networks.

During his keynote at the annual GEOINT Symposium on Wednesday, Pentagon Chief Information Officer John Sherman unveiled a new one-page memorandum signed by Deputy Defense Secretary Kathleen Hicks on May 2 that directs “testing re-use and reciprocity to be implemented [by DOD authorizing officials] except when the cybersecurity risk is too great.”

“This is coming from the deputy secretary on down that reciprocity should be a default. It should be the first choice as opposed to having to redo all the due diligence again. We’re trying to strike a balance in maintaining our [risk management framework-driven] cybersecurity, but to make sure that we are able to move more quickly and not have to basically check everyone’s homework,” Sherman told DefenseScoop in an interview after his keynote.

He provided a hypothetical scenario to help paint a picture of the key issues his team is trying to address and the type of acceleration they’re seeking to facilitate.

“If you have a company who’s already got a product that’s gone, say, through the Department of Air Force and got on an ATO there, then let’s say the Navy wanted to use it. By default, they should be willing to take the body of evidence of the authorizing official from the Air Force unless they look at it and there is a tangible, substantive reason why they don’t believe the ATO was done well enough — and then we have a bigger issue that we need to jump into. These Air Force and Navy examples are just hypothetical, but that’s what it does,” Sherman explained.

“If you have your company, you shouldn’t have to go through each different hoop and hurdle here. It should be more universally accepted,” he added.

Notably, Hicks’ memo also mandates that Pentagon components elevate any associated policy and implementation issues straight to Sherman and his team.

“DOD Components can request DOD CIO assistance in resolving reciprocity and other RMF policy, guidance, and technical issues by contacting the RMF Technical Advisory Group secretariat, within DOD CIO, at osd.pentagon.dod-cio.mbx.rmf-tag-secretariat@mail.mil,” Hicks wrote in the guidance.

During his keynote, Sherman spotlighted that elevation.

“I saw on LinkedIn, as recently as this morning, some folks talking about this. And I want to let you all know: We’ve heard you loud and clear on this within the DOD. I’m not going to say this is going to solve every bit of it, but it’s going to help us a bit,” he told the audience.

During the interview with DefenseScoop, he wouldn’t disclose exactly which industry representatives he was pointing to in that call-out.

“We’ve heard enough anecdotes. We need actual examples of where this is gumming up the process, because ATOs — which are necessary, you don’t want to not do these — but they have gotten a bad name as an innovation- or speed-stifler. So we’re going to take a little more direct involvement in this from the DOD CIO office,” Sherman said.

While this initial guidance is for the Pentagon, the CIO’s team is also going to generate and release similar recommendations for the intelligence community.

“That’s kind of our next hill to climb later, because of different classifications and where those bodies of evidence are kept on secret or top secret, versus unclassified databases and so on,” Sherman told DefenseScoop.

Acknowledging that “the software community is a very passionate community — and the ATO process, frankly, has been cumbersome,” the Pentagon’s top IT official confirmed that he opted to bring this up to Hicks for support.

“I’ll be very honest. We often, as a principal staff assistant, kind of pick where we need the big bosses to sign off. And we did believe on this one, yes, a CIO can do this, but [we should] have the deputy secretary send a very clear signal that this isn’t just CIO stuff. This is a department priority,” Sherman said.

The post Pentagon issues new guidance to address industry gripes about ATO process appeared first on DefenseScoop.