The CIO’s recently released software modernization implementation plan for fiscal 2025 and 2026 marks another call from Pentagon leadership for the entire department to improve delivery of software-based capabilities. The document lists three key goals for the next two years — focusing on software factories, enterprise cloud and transforming processes — as well as specific tasks for each goal that aims to improve overall software modernization.

The goals and tasks in the document build upon the DOD CIO’s first software modernization implementation plan for fiscal 2023 and 2024. According to the new roadmap, the Pentagon completed 27 out of 41 of the tasks outlined in the previous plan, carried 12 tasks over to FY25 and FY26 and combined two tasks with others in the updated document.

Rob Vietmeyer, chief software officer for the deputy CIO for information enterprise, said that while working through the goals in the first implementation plan, the office realized that some of the associated tasks weren’t mature enough to fully execute on.

“For a small portion, we learned that we didn’t know enough about a couple of those activities, so we dropped them. And then some of them, we were maybe over aggressive or they evolved,” he said Wednesday during a panel discussion at AFCEA’s TechNet Cyber conference. “I’ll say, from an agile perspective, we didn’t have the user score exactly right, so some of these stories have continued into the implementation plan two.”

The first goal outlined in the new plan is to accelerate and scale the Pentagon’s enterprise cloud environment. Along with its multi-cloud, multi-vendor contract known as the Joint Warfighting Cloud Capability (JWCC), the department also has a number of other efforts aimed at providing cloud infrastructure overseas and at the tactical edge. 

Vietmeyer said that even though JWCC has been a relative success — noting that the department has awarded at least $2.7 billion worth of task orders under the program — the contract vehicle was “suboptimal” for large acquisitions. The CIO is currently planning for what it calls JWCC 2.0, a follow-on phase that adds more vendors and different contracting mechanisms to the program.

Beyond JWCC, the implementation plan calls for the establishment of additional contract options for cloud innovation — specifically geared towards small business and “niche providers” — that can be awarded before the end of fiscal 2026.

“In the implementation plan, we’re trying to build that next-generation cloud infrastructure and extend it. Not just looking at JWCC, but we’re also looking at how we extend for small business cloud providers,” Vietmeyer said. 

The document also offers guidance for Pentagon efforts to expand cloud access to the edge, such as through Stratus or the Joint Operational Edge (JOE) environments. In the next two years, the department will develop a reference design for an “underlying cloud mesh” that facilitates data transport, software development and information-sharing across different infrastructures overseas, according to the plan.

The mesh architecture would allow warfighters from one military service to access a cloud node operated by a different service, or one owned by the Defense Information Systems Agency, Vietmeyer explained.

“We’ve seen that one of the challenges is moving to a mesh type of architecture, so we can identify where computing infrastructure exists and allow the warfighters to take advantage [of it],” he said. “How do we start to build the ability for applications and data to scale across that infrastructure in a highly resilient way?”

Along with enterprise cloud, another goal within the updated implementation plan focuses on creating a Pentagon-wide software factory ecosystem that fully leverages a DevSecOps approach. The CIO intends to take successful practices from the various software factories in DOD and replicate them across the department, according to the plan.

“DoD must continue to scale success and bridge the right disciplines together … to ensure end-to-end enablement and realization of the software modernization vision and adoption of software platforms and factories organized by domain,” the document stated.

The CIO will also work to remove existing processes and red tape that prevents software developers from accessing critical tools and capabilities; increase the number of platforms with continuous authorization to operate (cATO) approvals; and create a DevSecOps reference design for artificial intelligence and software-based automation deployment.

Lastly, the implementation plan outlines multiple tasks geared towards evolving the Pentagon’s policies, regulations and standards to better support software development and delivery — including creating secure software standards, improving software deployment in weapons platforms and growing its workforce.

Although work to accelerate the Pentagon’s software modernization has been happening for years, leaders at the department have begun pushing for more focused efforts to remove bureaucratic red tape through new guidance — such as Secretary of Defense Pete Hegseth’s Modern Software Acquisition memo released in March, and the CIO’s new Software Fast Track (SWIFT) program.

“For modern practices to become the routine way of developing and delivering software, policy, regulations, and standards must be reviewed and updated,” the implementation plan stated. “DoD must work with DoD Components to update policy and guidance to reduce the barriers to adopting new practices and to accelerate software delivery and cybersecurity approvals to enable adoption of the latest tools and services.”

The post Pentagon sets out two-year plan to scale enterprise cloud offerings, software factories appeared first on DefenseScoop.

Unlike the conflicts in the Middle East of the last 20 years against a technologically inferior enemy, Pentagon officials anticipate contested and congested digital environments where maintaining connectivity will be difficult — a concept known as DDIL, or denied, disrupted, intermittent and limited, in Defense Department parlance.

“Because the bandwidth that’s available in these pLEO satellite connections to our ground control stations is so big, we’re talking hundreds of megabytes of bandwidth with negligible latency, it makes things possible that you couldn’t do anymore. You don’t need to be persistently connected anymore,” Col. Jason Quinter, commander of Marine Air Control Group 38, said during a webcast Monday hosted by C4ISRNET, adding that this also includes the cloud.

In the past, U.S. troops were used to constant connectivity to higher headquarters or to pass data back and forth. Now, they will have to operate somewhat disconnected at times, but these new technologies are providing more bandwidth in those scenarios.

“pLEO is a game changer … That high amount of bandwidth and that low latency really changes what’s possible on modern networks,” Quinter told DefenseScoop in an Oct. 7 interview. “Because the satellites are in low-Earth orbit, you have significantly less latency than you typically would. What that means is it makes certain things possible that wouldn’t [otherwise] be possible.”

These constellations provide orders of magnitude more bandwidth than traditional program-of-record SATCOM capabilities, where forces would have to aggregate connections together to achieve 12 megabytes. Now, troops can have up to 200 megabytes or more depending on how much officials are willing to spend, allowing unprecedented connectivity and data.

Those constellations are also more resilient given there are more smaller satellites in orbit as opposed to a lower number of exquisite, geosynchronous orbit satellite communications architectures.

“Some of our senior leaders used to refer to those [military satellite constellations] as big, juicy targets for anti-satellite ballistic missiles. With the proliferation of these smaller, flat sats in lower orbit, orders of magnitude — four, five, six — and there’s plans for there to be 10-12,000 of these satellites in lower orbit, there’s inherent survivability in that constellation, just from the sheer numbers,” Quinter said in the webcast.

Those connections, however, are easier to jam, and officials have always been careful to warn that their access must factor into what the military describes as a PACE plan — or primary, alternate, contingency and emergency — depending on the operation.

But the enhanced connectivity those constellations provide will allow forces to operate more dispersed and disconnected on the battlefield, a key tenet as observations from current conflicts indicate static units will be much more vulnerable.

“Once you have that kind of bandwidth, you don’t need to be persistently connected. You could establish a hybrid cloud network,” Quinter said.

Quinter served on the Joint Staff’s J6 team when it was developing the overarching concept for Combined Joint All-Domain Command and Control, which envisions how systems across the entire battlespace from all the services and key international partners could be more effectively and holistically networked to provide the right data to commanders, faster. The word “combined” in the parlance of CJADC2, refers to bringing foreign partners into the mix. He noted that during that process, officials used to say the critical requirement to enable that concept is cloud.

Key to realizing that goal is the DOD’s enterprise cloud contract vehicle, the Joint Warfighting Cloud Capability (JWCC), the Pentagon’s highly anticipated $9 billion effort that replaced the aborted Joint Enterprise Defense Infrastructure (JEDI) program. Google, Oracle, Amazon Web Services and Microsoft were all awarded under the JWCC program in December 2022 and are competing for task orders. Officials in the past have indicated how important this vehicle is to the CJADC2 concept and enabling connectivity and interoperability of forces across the globe.

“We are working with companies … through their cloud environment and trying to establish that hybrid cloud architecture at the edge of the network, which could persist without a connection over pLEO. You could turn that satellite connection on and off as necessary to be more survivable,” Quinter said.

He noted that as long as units have enough processing power and storage at the edge, they don’t need to be constantly connected. They just need to be able to process the information in the field.

“I say ‘hybrid cloud’ because it needs to be both private and public, like we need to be taking advantage of the prime contractors that are on the Joint Warfighting Cloud Capability contract,” he said. “Those will enable us to leverage [a] big data center when we are connected to the enterprise. But we also need to have the hardware at the edge of our network that can handle cloud, hybrid cloud at the edge.”

Quinter noted that the entire DOD is looking at how to get forces to operate more persistently disconnected. He likened a future scenario to submarines that are usually disconnected, but they surface when they need to, download the necessary data and dive back down to resume their patrols.

“We learned that as communicators, that we need to have a PACE plan. You hear other folks from other communities talking a lot more about that now, but I would say that with the technology that’s available right now, you could essentially operate in a no probability to detect, no probability of intercept environment, because hybrid cloud will enable you to do many, many things on the edge of a network that you typically, at least historically, have not been able to do,” Quinter said.

This notion will require a paradigm shift and change in thinking for many service members that have been used to being constantly connected.

“One thing that I have noticed over the last two years in particular, [is] that we have a lot of teaching and educating that we need to do across the force when it comes to cloud,” he said. “I think there’s not enough people that understand how that technology works in particular, which puts us at a disadvantage, because as we’re designing these circuits to install, operate, maintain them in the network in a combat environment, we need to know what’s in the realm possible. I think cloud is not something with that we’re teaching in the schoolhouse yet, but we’re getting there.”

There is a bit of a misconception among many, Quinter added, given cloud is associated with large data centers.

“When people think about cloud, they think about data centers, like back in [the continental U.S.]. In their mind, I think it’s a natural default for most people to think, ‘Well, if I’m not connected to the data center, then how am I using the cloud?’” he said. “That’s what I meant by the level of education that’s required, even across the comm community, for people to understand what is and is not possible when it comes to cloud.”

The post Proliferated LEO, hybrid cloud capabilities enable U.S. forces to operate more disconnected appeared first on DefenseScoop.

In December 2022, the Pentagon awarded Google, Oracle, Amazon Web Services and Microsoft contracts spots on the $9 billion JWCC program — an effort that pivoted away from contracting a single vendor for the department’s first enterprise cloud capability under the Joint Enterprise Defense Infrastructure (JEDI), and instead sought a multi-vendor acquisition approach. 

Since then, the department has awarded over $1 billion worth of task orders to vendors on the program, DISA Director Lt. Gen. Robert Skinner said Wednesday. Speaking during a keynote speech at the annual Department of the Air Force Information Technology and Cyberpower conference, Skinner noted the agency is now looking at how to build upon the initial program for its next phase, dubbed JWCC 2.0.

“What I would offer is, what it’s going to bring is even faster commercial cloud capability, greater diversity — where we can hope that we can have even more cloud services providers — and potentially have an option of not having task orders competed,” Skinner said. He did not elaborate on how many additional vendors DISA is considering adding to the program.

Under the current contracting mechanism for JWCC, the four cloud service providers are able to bid on task orders from various Defense Department components. The contract vehicle allows the department to buy commercial cloud capabilities that best fit customers’ needs directly from the service providers.

Skinner noted that moving forward, future JWCC iterations could include both task order competitions as well as a potential indefinite delivery/indefinite quantity (IDIQ) contract vehicle as a way to provide “greater diversity and flexibility for the capability that we know we all need and are driving for.”

IDIQ contracts allow the Pentagon to purchase an unspecified amount of products or services under a specific timeframe, enabling the ability to place orders as needed up to a defined maximum amount specified in the initial contract.

DISA has not given a clear timeline on when the requirements for JWCC 2.0 will be released. Former DOD Chief Information Officer John Sherman previously told DefenseScoop that he directed his office to conduct an after-action review of the entire JWCC effort prior to his departure in June.

“While I’m a huge fan of it, I know it’s not perfect,” he said. “What can we do better for JWCC 2.0? Are there things we can put into place to make [software-as-a-service] offerings easier to manage?”

The post DISA mulls adding vendors, different contract types for JWCC 2.0 appeared first on DefenseScoop.

He entered the role in December 2021, a tumultuous era marked by controversy over the Joint Enterprise Defense Infrastructure (JEDI) cloud effort. In the midst of the fallout, Sherman recognized that the department needed to pivot.

“I truly felt we were figuratively fighting and dying on a hill not worth fighting and dying on,” Sherman told DefenseScoop. “All this litigation that we were stuck in and back-and-forth between the several cloud service providers, I felt we were all expending energy against the wrong goals.”

Six months into his tenure as DOD CIO, he made the recommendation to cancel JEDI — a program that sought a single vendor for the Pentagon’s first enterprise cloud capability — and pivot to a multi-vendor acquisition process under what is now known as the Joint Warfighting Cloud Capability (JWCC).

“That, to me, has been the flagship or one of the top achievements I’ve had as CIO,” Sherman said.

Sherman announced June 6 that he would be departing as Pentagon CIO by the end of the month, moving into a new role at Texas A&M University, his alma mater, as the Dean of the Bush School of Government and Public Service.

During an exit interview with DefenseScoop on Monday, Sherman reflected on his nearly three-decade career in government where he often campaigned for novel approaches and technologies to accomplish missions.

“Anytime you’re doing something new, you’re gonna break some glass doing it,” he said.

A ‘digitally focused’ IC

After serving in the Army as an air defense officer in the 24th Infantry Division, Sherman said he was interested in working in the intelligence community and initially applied to be an all-source analyst at the Central Intelligence Agency.

But when he received his interview package, he was sent to Building 213 in Washington, D.C.’s Navy Yard where the DOD was standing up the new National Imagery and Mapping Agency — now known as the National Geospatial-Intelligence Agency (NGA). Sherman was hired as an imagery analyst in 1997, investigating and distributing geospatial intelligence on the Iraqi Republican Guard.

“Working that Republican Guard account for several years will, and continues to be, one of my fondest memories in the IC — working with some amazing teammates in Building 213 supporting U.S. Central Command and other entities with what I thought was insightful analysis during the no-fly-zone days, and then moving to the start of Operation Iraqi Freedom and onward,” Sherman said.

He would spend the next 23 years in the intelligence community, including as the CIA duty officer in the White House Situation Room, an all-source analyst on the National Intelligence Council and a role at the NGA Office of the Americas.

Notably, Sherman was part of the small team that was present in the White House Situation Room on the morning of the September 11 attacks on the World Trade Center.

“It was a sobering experience, but also we were honored to be there to support crisis operations on that day,” he said.

In 2014, the CIA was looking to become more “digitally focused,” and Sherman became one of two deputy directors of the CIA’s Open Source Enterprise (OSE) managing the tradecraft of open source intelligence. He led the Middle East and Asia portfolios, as well as the portfolio for emerging technologies where he first began experimenting with commercial cloud capabilities, he noted.

While at OSE, Sherman helped stand up a low-side cloud capability called the Open Source Data Layer and Services (OSPLS). The effort leveraged Amazon Web Services and other capabilities provided by the IC’s Commercial Cloud Services (C2S) program to provide a cloud-based environment for less sensitive and non-critical information.

He detailed how he also took part in the Eyesight Mission Users Group. Although the group’s focus is classified, Sherman said the experience taught him critical lessons on data standards and exactly how cloud technology works.

“What I was able to do was, as one of the initiative leaders, use open-source gathered information to feed into NSA’s gov cloud — which was their part of the classified capability — to then run the compute against this open-source information and find new things that we would not have been able to discover otherwise,” he said.

Sherman was later tapped to serve as the intelligence community’s CIO in 2017, and during his time he initiated several innovative changes that allowed the IC’s IT enterprise to evolve. 

One of those was shifting focus on a program known as the Common IC Desktop Enterprise, which initially looked to create a unified architecture that would allow analysts and officers to move between agencies without the hassle of transferring their data. Despite all of the money and time the IC had already invested into the effort, Sherman said he recognized it wasn’t working.

“It was never going to scale out to being this IC-level capability that it was envisioned to be, and so we pivoted to a federated architecture where we would have standards and then be able to accomplish some of the same interfaces — but not with this unified overall architecture that we were first going along,” he said. 

Another accomplishment as IC CIO was the creation of the Commercial Cloud Enterprise (C2E) program. The intelligence community had been using a single-vendor approach under C2S since 2014, and Sherman initiated the follow-on C2E effort to bring a multi-vendor, multi-cloud capability to the IC in 2020, with Amazon Web Services, Microsoft, Google, Oracle and IBM serving as vendors.

“I’ll also admit this freely — C2E was the model for what became JWCC at DOD,” he said.

Leaning into hard decisions

Sherman was brought into the Defense Department as the principal deputy CIO in 2020, later replacing then-CIO Dana Deasy when he left his position in 2021. Although the department was grappling with many problems with its IT enterprise then, there are still a number of other issues the new CIO who replaces him will face in the future, he said.

“I don’t know what the next hard decision is going to be, but be ready to lean into that,” he said. 

Still, Sherman touted the accomplishments he made during his time at the Pentagon, especially related to the department’s pivot to JWCC and the awards made to Google, Oracle, Amazon Web Services and Microsoft for the program at the end of 2022.

He noted that over $700 million worth of task orders across all three security classifications have been awarded through JWCC to date, with organizations like the F-35 Joint Program Office, defense agencies and combatant commands all on board with the program.

JWCC’s growth has also initiated the Pentagon’s new Joint Operational Edge (JOE) initiative to provide cloud capabilities at the tactical edge — a concept he calls the “lily pad.” One JOE cloud has already been installed at Joint Base Pearl Harbor-Hickam in Hawaii, another is coming online next in Japan, and the Pentagon is currently looking at sites for a third one in Europe, he said.

“One of the big things that we talk about a lot with cloud tradecraft is procuring cloud is not the end of the story. You have to learn how to use it, you have to learn how to apply it to your mission,” Sherman noted.

As it prepares for the next phase of the program, dubbed JWCC 2.0, Sherman has directed the CIO’s team to conduct an after-action review of the entire effort. 

“While I’m a huge fan of it, I know it’s not perfect. Because like with C2E, we’re kind of figuring out how to walk and chew gum in a multi-vendor environment,” he said. “What can we do better for JWCC 2.0? Are there things we can put into place to make [software-as-a-service] offerings easier to manage?”

Along with cloud modernization, Sherman has led efforts to improve user experience at the department by creating a UX portfolio management office at the CIO, fix the lengthy authority to operate (ATO) process in response to complaints from industry, and move the Pentagon into adopting a zero-trust cybersecurity framework by 2027.

In a statement to DefenseScoop, Deputy Secretary of Defense Kathleen Hicks praised Sherman for positioning the department for success while he served as CIO.

“John tackled some of the most complex challenges in the Department during his tenure, advancing the Department’s information advantage and improving our decision superiority, from the combatant commander down to the platoon leader,” Hicks said. “His leadership on ground-breaking initiatives such as the Joint Warfighting Cloud Capability, Zero Trust Architecture, and the Emerging Mid-Band Spectrum Sharing assessment materially strengthened US national security.”

A key challenge for the department moving forward will be to ensure it is modernizing at the pace it needs to, all while leveraging industry capabilities when it can, he said.

“As we talk big thoughts about edge cloud and transport and zero trust, never forget that it comes down to a service member’s ability or civilian’s ability to do their job — not only at the Pentagon, but out at Osan Air Base in Korea, or onboard a ship in the Red Sea, or at a special forces detachment in Africa,” Sherman emphasized.

Another will be tackling the Pentagon’s growing tech debt, he added. Warfighters are still using a lot of outdated technology from previous conflicts in the Middle East, and Sherman noted that understanding that priority and leveraging the entire enterprise to address it quickly is crucial for the department.

“We’ve got to pay the piper on this because in the digital battlefield that we’ve seen in places like Ukraine and what we could have to face in the western Pacific, these digital IT capabilities are war-winning technologies,” Sherman said. “It’s not just blinky lights and data centers, this is the difference for decision capability for our commanders.”

When asked what advice he would give to the next DOD CIO, Sherman emphasized the importance of working as a team with all of the departments and components at the Pentagon, as well as collaborating with industry as much as possible.

Leslie Beavers, DOD’s principal deputy CIO, will serve as acting CIO as Sherman departs until the department makes a decision on a full-time replacement.

He also pointed to the importance of strong leadership when making hard decisions and setting a clear north star for some of the departments where change might be a heavy lift.

“This has been the greatest opportunity I’ve had professionally, but also I’d be lying if I didn’t say it’s the most challenging,” Sherman said. “So that would be my advice to the next CIO: Buckle your chin strap and get ready, because this is going to be a heck of a ride.”

The post From Building 213 to the Pentagon: John Sherman reflects on his legacy in government appeared first on DefenseScoop.

Known as Project Enigma, the digital environment aims to allow Space Systems Command (SSC) to collaborate with different stakeholders in a multi-enclave, cloud-based shared network. The service awarded GDIT an $18 million other transaction authority agreement in 2023 to develop the prototype digital infrastructure, and the company recently received an extension contract to add more capabilities to the platform, according to Travis Dawson, GDIT’s senior director for Project Enigma.

“This resulting digital services ecosystem will further drive resilient, secure information-sharing to anyone, anywhere, at any time,” Dawson said in an interview with DefenseScoop.

GDIT hosted around 200 government stakeholders for a demonstration of Project Enigma earlier this month at Los Angeles Air Force Base, where the company showcased some of the digital environment’s capabilities, including digital engineering tools, a software factory with DevSecOps pipelines, an IT service management desk and more.

“Working in a government setting and having the ability to sit at one device and do classified and unclassified work on the same device is monumental,” Dawson said. “Rather than having to leave your device and go to a secure facility, login with some classified credentials, etc., you can do that from one device.”

During the event, the company also demonstrated an initial operating capability of Project Enigma’s Commercial Solutions for Classified (CSFC) offering. Approved by the National Security Agency, CSFC allows users to work on classified networks either in-office on a desktop version known as a “trusted thin client” or remotely on a laptop, Dawson said.

“We’re rolling out both of those … right now, putting the trusted clients on the desk within Space Systems Command in L.A.,” he said. “Those provide the ability to securely communicate in … multiple independent levels of security simultaneously from a single device, and it ultimately could be from a remote device.”

The company is currently focused on enabling work in secret-level classified environments. There is some appetite within the U.S. government to add top secret and special access programs (SAP), but the company has yet to begin work on those, Dawson said.

Moving forward on its extended contract, GDIT is currently working on expanding access to Project Enigma beyond those within SSC and incorporating connections with industry partners, he noted.

GDIT also plans to add more mission partners and more commercial cloud service providers to the platform, creating a classified multi-cloud environment for collaboration, he said. While Dawson couldn’t name which cloud service providers would be integrated, he noted that they are companies approved by the Defense Department’s Joint Warfighting Cloud Capability contract vehicle. Microsoft, Oracle, Amazon Web Services and Google compete for task orders under the JWCC program.

The addition of commercial cloud is part of a larger GDIT effort known as digital accelerators, Dawson said. The company offers a portfolio of tailored solutions from the commercial sector — from artificial intelligence to cybersecurity — that can be brought into different platforms.

“These are integrated commercial technologies. They have been cyber hardened, and they’re customizable,” Dawson explained. “The customers can go ahead and customize them to their needs and their requirements, and they don’t have to be locked into any type of technology.”

The post Space Force getting cloud-based, classified environment for industry collaborations appeared first on DefenseScoop.

In 2023, DISA began its Joint Operational Edge (JOE) initiative, envisioned as an integrated mesh of edge computing platforms located at Defense Department sites that could provide cloud capabilities overseas. The agency then launched different beta programs to test and scale its OCONUS cloud offerings, one of which is a version of the Stratus private cloud capability at Joint Base Pearl Harbor-Hickam in Hawaii in support of operations in Indo-Pacific Command’s area of responsibility.

Col. Jeffrey Strauss, DISA’s acquisition deputy for programs, said that while the overall effort is going well — with one of the OCONUS cloud offerings already being used to its maximum capacity — the agency is competing for funds to do more.

“There is a demand [and] appetite to do more and to prototype some new ones,” Strauss told DefenseScoop on Friday during an event hosted by Washington Technology. “The challenge there is we don’t have a lot of free capital for DISA to invest if we don’t know we have a customer.”

Part of the strain comes from the large amount of infrastructure and capability that DISA must allocate money towards maintaining, Strauss explained. A significant portion of the agency’s annual budget is eaten up by operation-and-maintenance funding to sustain current ops, which restricts how much money it can dedicate to new investment in its research-and-development portfolio, he said.

For example, DISA requested $2.6 billion in its O&M budget for fiscal 2025 and just $258 million for R&D projects.

“When you have this big sustainment bill and it grows, what gets pressured is investments into new things,” Strauss said.

As a combat support agency to the entire Defense Department, DISA also receives money from the other components via the Defense Working Capital Fund, a type of revolving pot of money that supports buying and selling of services across the Pentagon. Individual agencies put a portion of their budgets into the fund, which is then used by DISA to perform the specific services that others order from them.

Strauss indicated that although DISA hears the demand for OCONUS cloud capabilities from the military services, that doesn’t necessarily translate into what they provide financially — creating another barrier in deploying more cloud capabilities outside of the United States, he said.

In a separate interview with DefenseScoop, DOD’s Chief Information Officer John Sherman noted that OCONUS offerings weren’t initially part of the Pentagon’s push to deploy enterprise cloud capabilities under the Joint Warfighting Cloud Capability (JWCC).

However, there was recognition that future operations in the vast distances of the Indo-Pacific might require additional infrastructure, he said.

“JWCC’s infrastructure is in the continental United States, and the cloud service providers have edge capabilities that you could carry around in a [Joint Light Tactical Vehicle] or maybe even a personal portable sort of thing,” Sherman said Wednesday on the sidelines of the GEOINT Symposium in Florida. “There’s a real tyranny of distance from the Marianas Islands all the way back to California or Arlington, Virginia. You need a lily pad somewhere so you don’t have to backhaul the information.”

The larger JOE program is tackling how to provide those cloud capabilities to warfighters operating in remote locations. Along with the initial prototypes for Indo-Pacom, Sherman said his office is already looking at other deployment options in the Western Pacific, Europe and elsewhere.

“Part of this is cloud tradecraft. We’re learning this as we go along here with the intelligence community to figure out how to do cloud capabilities from the continental United States out to the tactical edge,” he said. “JOE cloud is one of those things we’ve learned that we need in place to have that sort of connectivity.”

DefenseScoop reporter Brandi Vincent contributed to this story.

The post Despite demand, DISA financially constrained to scale cloud capabilities overseas appeared first on DefenseScoop.

In 2022, the Defense Department released its first strategy and a reference architecture for operating under zero trust — a cybersecurity concept that assumes networks are already compromised by adversaries, meaning the Pentagon must constantly monitor and authenticate users and their devices as they move through a network.

The strategy outlined what it considers “target levels” of zero trust, which are a minimum set of 91 capability outcomes that agencies and components at the department must meet to secure and protect networks. The Pentagon’s goal is to achieve those target levels no later than Sept. 30, 2027.

Despite the seemingly aggressive timeline for introducing an entirely new cybersecurity concept across the department, different IT officials at the Defense Department said this week that they are on track to meet the deadline.

“We’re clearly in the implementation phase,” Dave McKeown, DOD chief information security officer and deputy chief information officer for cybersecurity, said Wednesday at the Defense Acquisition University’s Zero Trust Symposium. “We’ve done a lot of planning, we’ve tried to educate the force, we’ve gotten the plans all submitted. And now, we’ve got to move into execution.”

Hit the ground running

To help streamline zero trust adoption across the enterprise, the Pentagon established a zero trust portfolio management office led by Randy Resnick. During the remainder of fiscal 2024 and into fiscal 2025, the office plans to rapidly move out on developing zero trust proof of concept pilots, with at least 15 pilots already lined up, Resnick said Tuesday during the symposium.

Getting the pilots off the ground will hopefully mitigate any apprehension about the possibility of implementing zero trust by 2027 that Pentagon components may have, he noted.

“If we start generating potential solutions that have been independently assessed, and validated to hit target, then we’re showing that this assemblage of vendors or products put together in a certain configuration can actually deliver the results that we see coming out of zero trust,” Resnick said. “And so, it would be then up to the components that decide what they want to do next.”

While the goal is to adopt zero trust across the department, officials have emphasized that there is no one-size-fits-all approach to implementation. To that end, the zero trust strategy provided a capability execution roadmap with three courses of action (COAs) that agencies and components may take.

Resnick said the 15 pilots planned by the portfolio management office will focus on COA 1, which uses a brownfield approach by adding new technology to existing IT infrastructure.

In the future, the office wants to launch pilots for COAs 2 and 3 — which will leverage zero trust-compliant commercial cloud capabilities and government-owned clouds, respectively. McKeown said DOD is working with industry on those COAs, stressing to them the importance of having integrated solutions that meet target-level requirements.

The Pentagon CIO’s office will also continue work in facilitating assessments of vendor zero trust technology and integration, Resnick noted.

Companies are being asked to independently integrate and test their products to see if they reach target levels of zero trust. If those companies feel they have achieved the necessary requirements and the Defense Department agrees with the assessment, the vendors will be invited to participate in “purple team assessments” that test and analyze how both adversaries and cyber defenders act in the environment, Resnick explained.

If the integrated system meets target levels of zero trust or higher, then the Pentagon can officially give it the green light via adjudication, he said.

“It’s an important element of approval because that would give a signal to DOD and any other customer that this configuration with these hardware and software … delivered to us target-level [zero trust],” he added.

Conducting red, blue and combined purple team assessments of the environments is critical to delivering integrated zero-trust solutions, McKeown said.

“We have fielded lots of good cybersecurity tools throughout the [DOD Information Network] over the past decades. All of these tools served a purpose, but were not well integrated,” he said. “Integration is the key to making all of the tools work more synergistically together and improving the effectiveness of our cyber defenses.”

A need to go faster

As it continues to move forward with zero trust implementation, the DOD CIO’s office is incorporating mechanisms that aim to speed up the process and keep efforts on track for the 2027 deadline.

A key lesson came in recent months when the portfolio management office reviewed and approved the first zero trust implementation plans that each DOD agency and component submitted. The CIO’s office is requiring individual components to create and submit these implementation plans each year by October.

Resnick said his office approved all 39 of the submitted plans in January and then provided an update to Congress based on those reviews in March. It was an effort that required a lot of back-and-forth communication with each component and took 35 full-time employees three-and-a-half months to complete, he noted.

Now, the portfolio management office is looking at how it can automate the process for future years, Resnick said.

“It was a tremendous effort. We did it once, and the lessons learned here was that we really can’t repeat this process. It is untenable,” he said. “We need to automate the assessment process. We need to put it in electronic form where we could actually apply AI tools to actually ask questions and to achieve answers based on the submissions, and that’s where our head is going right now.”

In addition, DOD CIO John Sherman said that he is working to improve the authorization (ATO) and continuous authorization (cATO) processes that are used to minimize and manage cybersecurity risk responsibility for software systems.

Speaking Tuesday at the symposium, Sherman said it is likely that guidance on “reciprocity by default” will be released that will address the lengthy time and repetitive efforts associated with ATOs.

His office is also working on evaluation criteria for cATOs, with a draft already outlined and plans to talk with each of the services about their own cATO evaluation criteria underway, he said.

“It takes too long to get software deployed and other capabilities. And these are patriotic Americans working hard to do the right thing by implementing the [risk management framework], but we’ve got to do better on this,” Sherman said.

Reaching target levels and beyond

Although the Defense Department believes it is on track to reach target-level zero trust by 2027, Sherman highlighted that it still has plenty of work to do ahead of the deadline.

For example, the Pentagon has long discussed implementing an enterprise solution for identity, credential and access management (ICAM) — considered a key component of zero trust. The CIO’s office is still evaluating options for a federated ICAM solution, Sherman said. 

Another ongoing effort is implementing zero trust practices in cloud environments, he added. The department is currently working with all four cloud services providers contracted under the Joint Warfighting Cloud Capability (JWCC) contract — Microsoft, Oracle, Amazon Web Services and Google — to conduct red-teaming assessments and understand zero trust in the cloud, he said.

The Pentagon is also continuing its investments in zero-trust capabilities and expanding the pool of vendors able to offer cyber protection, starting with endpoint security, Sherman noted. The department is already using Microsoft Defender for Endpoint — an enterprise endpoint security platform — for unclassified networks and plans to eventually use it for the secret level as well.

“There will be other opportunities for other cybersecurity service companies for other parts of the enterprise, for non-Microsoft endpoints,” Sherman said. “As we look at [operational technology] and elsewhere — as we expand zero trust out — we’re going to use other companies as well. We do not have a monoculture on one company here.”

As for what happens after the 2027 deadline, the Defense Department is already thinking about how it will implement what it refers to as “advanced levels” of zero trust cybersecurity — as well as other use cases for the architecture.

While target levels cover minimum data security requirements, advanced levels are defined as the achievement of the full set of capability outcomes. Along with the 91 activities that are needed to reach target zero trust, advanced levels will require an additional 61 activities, according to the DOD’s strategy.

“This is not a one and done. We’ve got the target-level zero trust and then the broader implementation of zero trust five years later,” Sherman said.

The Pentagon is also exploring how it will leverage zero trust beyond its information technology infrastructure, such as on weapon systems.

“It’s one thing to do this on networks, it’s another thing to do it on a weapons system or weapon platform, on operational technology, on [supervisory control and data acquisition systems] and so on,” he said. “It’s gonna be a bit of a lift there too. We’re gonna have to figure out how to do this as well because we know their threat vectors there.”

The post With 2027 deadline looming, DOD moves into implementation phase of zero trust transformation appeared first on DefenseScoop.

The new version of the Army’s cloud services infrastructure — dubbed cArmy 2.0 — aims to build upon the foundations of recent cloud modernization efforts and make key improvements to them, Army CIO Leonel Garciga said Tuesday during a webinar broadcasted by Federal News Network.

A new landing zone for cArmy 2.0 will be available in April, he said.

The move to the revamped environment comes after the Army took a “tactical pause” over the last couple of months to reevaluate its cloud delivery model, he noted.

“Like most traditional folks in enterprise’s big move to the cloud, we raced in some areas, we made some mistakes, we did some things that made sense at the time that don’t make as much sense now,” Garciga said. “And as new cloud services have become available in the regions across all of our [cybersecurity service providers], it’s really caused us to rethink some of the technical work that’s been done.”

As part of a larger push across the Defense Department to embrace the cloud, the Army stood up its Enterprise Cloud Management Office (ECMO) in 2019 and introduced cArmy the following year. According to the service, cArmy is a multi- and hybrid-cloud ecosystem that provides tenants with common cloud shared services in a secure ecosystem. Amazon Web Services and Microsoft Azure currently serve as services providers for the cloud environment.

After evaluating how cArmy has performed over the last three years, the Army wants the follow-on version to offer more agility for users — especially as the department continues to experience more demand for cloud services.

Garciga said a key goal for cArmy 2.0 is to introduce automation and simplicity into the cloud architecture to improve overall delivery.

“Those core services that tenants are receiving are going to be way easier to execute moving forward, as opposed to right now where it’s a little clunky,” he said.

The Army also wants to use automation to streamline onboarding services for new customers, as well as making sure to provide as much critical information to users as soon as possible, Garciga noted.

“What does the environment look like? What do our images look like? What baseline managed services are we delivering as an Army to you, the tenant? Getting that out is hugely important,” Garciga said. “Our focus is going to be making sure that we make that available to all the folks that are coming into the environment.”

In addition, cArmy 2.0 will focus on platform-as-a-service (PaaS) and software-as-a-service (SaaS) cloud deployments — rather than infrastructure-as-a-service (IaaS). Doing so reduces the overall delivery timeframe, he said.

Along with the new version of cArmy, Garciga also emphasized that his department is still embracing the Pentagon’s Joint Warfighting Cloud Capability (JWCC) as it pivots away from using the Army’s own cloud service provider reseller, known as Cloud Account Management Optimization (CAMO). At the moment, the Army has two contracts moving through the JWCC pipeline, he said.

“We continue to use this mix of [Commercial Cloud Enterprise] on the intel side and for some workloads, and definitely CAMO for unclassified workloads and our existing workloads as we really get that footprint set up in JWCC,” Garciga said.

The post Army poised to launch revamped cArmy cloud services environment appeared first on DefenseScoop.

More than 47 task orders were awarded by the Defense Information Systems Agency, which runs the contract, and over 50 more are in the pipeline presently, Sherman told the House Armed Services Cyber, Information Technologies, and Innovation Subcommittee Friday.

The task orders are part of the Joint Warfighting Cloud Capability (JWCC), the Pentagon’s highly anticipated $9 billion enterprise cloud effort that replaced the aborted Joint Enterprise Defense Infrastructure (JEDI) program. Google, Oracle, Amazon Web Services and Microsoft were all awarded under the JWCC program in December 2022 and will each compete for task orders.

That effort is critical to enabling the U.S. military’s top priority of Combined Joint All-Domain Command and Control (CJADC2), which envisions how systems across the entire battlespace from all the services and key international partners could be more effectively and holistically networked to provide the right data to commanders, faster.

“Following our award of the Joint Warfighting Cloud Capability (JWCC) contract in December 2022, DoD Components now have access to commercial cloud computing at all three security classifications, from the headquarters to the tactical edge, which is critical to enabling Combined Joint All-Domain Command and Control (CJADC2) and other important efforts, such as modern software development and artificial intelligence,” Sherman and DISA Director Lt. Gen. Robert Skinner told the subcommittee in written testimony. “In the first year of execution, the team was focused on helping Mission Partners through the acquisition process and adopt JWCC … We published guidance for the use of JWCC and cloud rationalization to streamline cloud contracting and reduce contract sprawl across the Department.”

For years, the Pentagon has articulated the critical need for enterprise cloud capabilities that can provide data and information flow at the tactical edge for decision makers and military units.

“The current crisis in Ukraine and CJADC2 experiments demonstrate the need for rapid extension of enhanced edge computing capabilities globally to reduce network latency, enable advanced data processing such as AI, and improve operational resilience,” Sherman and Skinner wrote. “The DoD CIO, [Chief Digital and AI Officer], and Under Secretary of Defense for Intelligence and Security are engaged with the Combatant Commands (CCMD), the MILDEPs, and forward deployed partners to deliver the latest cloud computing and communications technologies to meet these requirements.”

Skinner also told the committee the department has deployed an initial overseas cloud supporting Indo-Pacific Command missions.

“In the last 12 months, the DoD CIO, in partnership with DISA, successfully deployed the initial [outside the continental United States] commercial cloud capability in support of INDOPACOM missions. This OCONUS cloud capability will establish the OCONUS portion of the global, resilient, and secure information environment that supports the National Defense Strategy’s (NDS) top priorities. Specifically, the OCONUS cloud enables warfighting and mission command, resulting in improved agility, greater lethality, and improved decision-making at all levels,” the written testimony stated.

Moreover, DISA has expanded the Stratus Private Cloud outside the continental U.S. to enable hybrid cloud deployments overseas.

The post Nearly 50 JWCC task orders awarded last year; dozens more in the pipeline appeared first on DefenseScoop.

Moving to the cloud is a top IT modernization priority for the Pentagon as a global organization. But, vulnerabilities exist and the DOD is trying to mitigate them.

“We have found several instances on the unclass [unclassified networks] where errors in the hypervisor management side of different vendors have led to IP addresses being exposed to the public for a period of time,” Dave McKeown, chief information security officer and deputy chief information officer for cybersecurity at DOD, said at the Billington Cybersecurity Summit on Tuesday. “Of course, the bad guys don’t wait. They are constantly scanning networks, looking for a door that they can go in and rummage around. We lost some data as a result of that.”

The Joint Warfighting Cloud Capability (JWCC) was awarded in December, and is the Pentagon’s highly anticipated $9 billion enterprise cloud effort that replaced the maligned Joint Enterprise Defense Infrastructure (JEDI) program. Google, Oracle, Amazon Web Services and Microsoft were all awarded under the contract and will each compete for task orders.

McKeown didn’t offer specifics regarding security incidents. However, one recent example involved emails containing sensitive personnel data that were exposed publicly.

McKeown noted that the DOD is looking at some creative ways to work with these vendors to secure their offerings, which, while purpose built for the Pentagon and not exactly the same as commercial offerings, are still vulnerable to malicious actors on the internet.

The department had to look at the governance process and work with the providers on improving security, he added.

“How can we help you defend your cloud that you built for us? In all cases, those JWCC clouds are custom-built gov clouds, so they’re not the traditional commercial clouds. But still, they’re visible from the internet, they’re attackable from the internet. So, we partnered with them to understand better how we can help defend,” he said. “One of the things that we looked at initially was maybe we can use our tools to scan that IP space where your management network, your hypervisor resides. We got agreement, we’re starting to do that.”

The Pentagon’s main organization responsible for defending the network — Joint Force Headquarters-DOD Information Network — will get a full report on the open ports and protocols that are vulnerable and work directly with the providers to fix them, according to McKeown.

The post DOD working with cloud service providers to improve security appeared first on DefenseScoop.