DISA’s Approach to Modernization
At the Department of Defense’s Defense Information Systems Agency (DISA), Alfred Rivera serves as Director of the Development and Business Center. As part of the Combat Support Agency providing an enterprise infrastructure to DOD end users and its mission partners, “my focus is really on putting new capability in the department,” Rivera said at a panel at the GITEC Summit on April 3 in Annapolis, Md.
Specifically, Rivera outlined three major areas he focuses on: the cloud, defensive cyber operations and command and control capabilities.
Part One: Cloud
DISA maintains large data centers and provides a number of enterprise capabilities to DOD, so it is working to evolve to a cloud-based construct. “We embrace a hybrid strategy,” Rivera said at GITEC, but in a multi-faceted way. For example, DISA built its own cloud and cloud services product portfolio inside the DOD network, called milCloud. This allowed DISA to capitalize on its own data centers and customers to take advantage of it as a mission capability.
DISA’s milCloud is defined as an Infrastructure-as-a-Service solution, and it uses commercial providers (like Amazon Web Services) and government-developed technology to deliver cloud services. Rivera also encourages members to access commercial cloud services through DISA’s dedicated cloud access point (CAP). The CAP is the line between the DOD Information Network (DODIN) and those commercial cloud providers, enabling DISA to monitor the traffic, maintain security and protect its network from commercially-hosted vulnerabilities, according to the Cloud Connection Process Guide.
If an agency in DOD wants to connect a cloud provider managing Level 4 or 5 data to the DODIN through the CAP, it has to get approval from DISA’s Connection Approval Office and meet other requirements outlined in the guide. Yet as DISA explores its cloud advancement options, Rivera did mention potential challenges that linger for other agencies.
“There is a community out there that isn’t ready,” he said, referring to the move to the cloud. There are still obstacles surrounding migration, developing applications as they are written and trying to move those applications to the cloud. It’s not easy, he explained, to move from a legacy environment (even if developed properly) and equip it for cloud services.
Rivera’s approach to these pain points are to embrace those legacy systems that continue to exist and help them evolve to a capability that can move toward the kinds of capabilities for cloud. Rivera is also faced with both customers in DOD afraid of putting data into the cloud, regardless of DISA’s security and management of the data, and those that are fully embracing the cloud and taking advantage of its services. Moving forward, DISA is assuring the proper security boundaries and guidelines in order to continue embracing its hybrid cloud approach.
Part Two: Cyber
Rivera said the largest piece of his portfolio is cyber and “putting in an operational capability that supports the whole spectrum or construct of what we define as cyber.” That ranges from DOD’s perimeter defenses, between the department and the internet, and down to the endpoint. DISA has the responsibility of building that capability, putting the tactics, techniques and procedures (TTPs) in place, and using analytics to be more efficient as threats continue to evolve and advance.
Rivera’s approach to cybersecurity begins with his previous statements about operationalizing the performance of cyber and building it into a cyber framework from the perimeter to the endpoint. This way, DISA can track the vulnerabilities coming in from points like email and web content, as well as the cyber hygiene of end users.
Secondly, Rivera focuses on what he calls the cyber efficacy. This means building the solutions and TTPs all the way down the spectrum and figuring out how to develop the applications and implement them into the architecture. The third factor is workforce management and training to make sure the right people with the right talent are in place to address the continuously changing cyberspace.
Part Three: Command and Control
DISA manages DOD Command and Control Systems (C2), such as the Joint Global Command and Control System (GCCS-J) and the Joint Global Combat Support System (GCSS-J). These systems provide the commander with information needed to make decisions and the warfighters with capabilities to access mission-critical information, according to DISA.
To evolve C2 legacy environments, DISA is moving it toward cloud-based and agile-based development in an effort to rapidly get capability out to commanders, international mission partners and coalition partners. However, retiring legacy IT and bringing in new capabilities has its challenges, too. “Dollars is predominantly the largest issue,” Rivera said.
As a shared service provider, Rivera is aware that DISA customers also face funding impediments, as the budget for sustaining existing applications does not leave room for modernization. “I still have Cobalt applications that were developed by people who are long gone now,” Rivera explained, and it is difficult to move those stable applications that still run well off large systems and old mainframes.
So, Rivera said it’s about finding ways to continue improving or adding value to existing legacy systems because, in some cases, there is no long-term sight of them changing. Unless, of course, an agency has the budget, funding and appropriations in place to evolve. Combined with proper planning and requirements in place, this was possible with the GCCS-J, which was running in a legacy-based environment. “We are moving that whole construct to a cloud-based, web-based architecture,” Rivera said. “We call it recapitalization, so that everybody is capitalizing on a single baseline across the DOD.”
Part Four: Moving Forward
As an IT service provider, DISA focuses on getting the needed and necessary capabilities out to its mission partners and customers in a quick and timely manner. Going forward, Rivera said DISA is exploring mobility and a Mobile Combat Support System. This would include using DevOps and sprints to move from legacy systems to a web-enabled cloud-based solution set that could push capability out to warfighters through the cloud with the proper requirements process “as opposed to what we’ve been doing on an 18-month cycle of getting changes out to the warfighter,” Rivera said.
And in order to evolve technologically, Rivera said DISA is approaching the vendor community in a new way. “The question is not new capability but how do you bring innovation to DISA,” he said. Rather than in the form of a device, Rivera is interested in how industry thinks about and demonstrates innovation. This includes how industry leaders encourage innovation within the organization, how they work with academia to share information, how they embrace industry partnerships and, of course, how they approach government. “I think you’re going to start seeing that shift in DISA as we start looking at the next wave of capability,” Rivera said.