Department of Defense Chief Information Officer Teri Takai outlined how policies on their way to implementation will make it easier for IT vendors to work with the department in a presentation on April 2.
Most recently, the department announced that it was moving away from its decade-old information security requirements under the DoD Information Assurance Certification and Accreditation Process (DIACAP) to National Institute of Standards and Technology’s (NIST) 800-37. The switch resulted in republication of DoD’s 8500 and 8510 standards this month. The move will align DoD with the rest of the federal government, making it simpler for security and IT firms to leverage their products and services from one agency to the next without building to individual specifications.
“The intent very much is to make it easier [for vendors],” she said at the Intel Security Innovation Summit. “You don’t have to qualify for a set of NIST standards that are different from the DoD standards.”
Takai does not want “uniqueness” at DoD and would rather see the department’s priorities integrated into the broader conversation around federal IT.
“The intent there is to really try to reduce the workload and to make sure that we are more consistent across government in driving the standards,” she said.
The standardization process will be reflected across the board at DoD, whose decentralized architecture totals to 15,000 network enclaves and 2,000 data centers. Major initiatives include the Joint Information Environment (JIE), moving to the cloud and increasing mobility.
Comparing JIE to corporate IT consolidations, Takai said the effort is motivated by security even more than cost savings.
“The way that we’re configured and constructed today…is enormously difficult for CYBERCOM to do their job, to see into the networks,” she said. “The complexity of what we have and the way that we’re architected is an inhibitor to that.”
While some vendors have interpreted consolidation as fewer but larger contracts, which would favor major firms, Takai assured the audience competition would remain a part of the procurement process.
“That does not mean we are going to change our selection of products,” she said, explaining that the larger contracts would mostly be at data centers.
As for the move to the cloud, Takai said the Defense Information Systems Agency (DISA) will be building off of FedRAMP as it takes on its role as the department’s cloud broker. FedRAMP is the General Services Administration’s (GSA) process used to approve cloud service providers to work with federal civilian agencies. Using these standards will eventually mean less work for providers hoping to sell to DoD.
“DoD, DHS [Department of Homeland Security], and GSA are lockstep on support of what FedRAMP is doing,” she said.
Under Takai’s oversight, the department is also bringing standardization to mobile devices. DoD has stood up the standard Mobile Device Management (MDM) platform, an unclassified mobile application store, and is now in the process of certifying a number of commercially available phones on the unclassified side. Takai said classified will soon be standardized and her office is working with the National Security Agency (NSA) for Top Secret mobile communications.
“Our grand desire is to not have the SME-PED (Secure Mobile Environment Portable Electronic Device),” she said of the chunky devices used for classified voice and data.
In addition to providing devices and security products, Takai said a standard mobile platform will bring opportunities for application developers to pitch to DoD.
Above all, Takai said the diverse IT ecosystem leaves too many gaps for insider and outsider threats.
“When you’re as big as we are, it only takes one incident to cause an enormous amount of challenge for us.”