8 Lessons From Rosetta Comet Mission

The Department of Defense is getting ready to deploy a new cloud computing policy that allows the armed services more say in selecting service providers. Besides allowing commercial vendors to support DoD operations, the move also allows the military to be more efficient in adopting mobile devices and other related technologies, said the department's acting chief information officer.

Speaking at a recent government and industry event, Terry Halvorson, the Navy's former CIO who moved to the DoD's top tech spot this summer, noted that the military faces dilemmas in how it manages and deploys IT systems. But he added that the biggest changes and challenges in the department are not hardware or software, but cultural.

The DoD is working on a new cloud computing policy. Although the Defense Information Systems Agency (DISA) recently was removed as the lead agency for selecting the military's cloud providers, it is still involved in the process, Halvorsen said. Under the new policy, the individual services will be able to select their own cloud providers. Halvorsen wants the DoD to move to commercial clouds, such as Amazon or Google, where possible. DISA's new role in this process will be to ensure that commercial cloud providers meet DoD security standards, he said.

"That's the technical piece. The second piece is we've got to change people's thoughts." One of the big cultural changes that the new cloud policy implies is that individual services, agencies, and commands are no longer able to hoard their data or run their own data centers, he said. The military can no longer afford to operate in this way; instead, the DoD is moving to more "distributed data" operations based in the cloud. The challenge remains in convincing data owners to physically "let go" of it, said Halvorsen.

Cloud computing also enables mobility, something the DoD is embracing. Halvorsen noted that mobility is impossible if data remains locked up in stovepiped data centers. The need for mobility also reflects the fact that the DoD's young personnel are used to mobile devices and rapid access to information in their daily lives. When they join the military or government service, they expect and demand certain capabilities from their mobile devices, according to Halvorsen.

[Is the Army falling down in logistics? Read GAO: Army Logistics Implementation Needs Tighter Controls.]

Although security and meeting mission requirements come first for DoD mobile devices, their deployment across the department -- and the ongoing IT infrastructure modifications needed to support it -- represents a cultural shift, he said.

To help manage this process, the DoD is preparing to release a new cloud policy by the end of this November. Additionally, a new mobile phone is currently being issued to department personnel that features secure email and voice communications. A set of upgrades to the phone's software and applications is already underway and will be followed by a major upgrade at the beginning of 2015, Halvorsen said.

At the core of the DoD's move to cloud computing is the Joint Information Environment, a secure space where commanders can share data and information in real time. The JIE is not a program, but a concept consisting of several discrete characteristics, said Halvorsen.

The first parts of the JIE are the Joint Regional Security Stacks, which streamline network security and operations into regional zones. This provides better security and allows all the services and individual commands to see and know what is happening across the entire DoD enterprise infrastructure, according to Halvorsen.

The stacks also eliminate redundant firewalls. Halvorsen noted that the DoD must currently keep some 1,600 firewalls synchronized. When the JIE is fully functional, it will allow many of these firewalls to be eliminated. If the process is done right, he said the DoD could save up to $2 billion in annual operating costs. The first JRSS is now operational, he said.

Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data. In the Partners' Role In Perimeter Security report, we'll discuss concrete strategies such as setting standards that third-party providers must meet to keep getting your business, conducting in-depth risk assessments -- and ensuring that your network has controls in place to protect data in case these defenses fail. (Free registration required.)