The Department of Defense is staring at a classic enterprise IT challenge, only on a massive scale. Facing billions of dollars in budget cuts, the DOD must decide where to invest its IT dollars in order to save money across its operations, and where to pinch IT spending. But with national security on the line, the stakes are much higher--it must do so without compromising its IT infrastructure and applications.
The answer comes in the form of a new plan that aims to replace the military's branch-specific systems and networks with a more efficient, and ultimately more capable, enterprise model. The strategy will require changes that go well beyond new IT systems. "This plan commits us to changing policies, cultural norms, and organizational processes to provide lasting results," DOD CIO Teri Takai told Congress earlier this year.
The Pentagon has the biggest IT budget of any organization in the world: $38.4 billion in fiscal 2012. But that budget's a moving target, as the DOD is under intense pressure to cut its overall spending by tens, potentially hundreds, of billions of dollars over the next five years.
The new IT Enterprise Strategy and Roadmap identifies 26 tech initiatives to be carried out over the next 10 years. The strategy, crafted by Takai along with CIOs of the military branches, was signed by the deputy secretary of defense in early October and is due for public release this month.
The DOD drew on best practices from the private sector in devising its plan, which is spelled out in a 48-page document. The strategy identifies networking services, computing services, end user services, application and data services, and business processes as areas of focus. It provides benchmarks for sought-after efficiencies, including a 30% reduction in servers and up to $3.5 billion in savings over five years. Supplementing the IT Enterprise Strategy is an "initial implementation plan" that identifies work to be done in fiscal years 2012 and 2013, with a focus on near-term gains.
Takai, in an interview with InformationWeek, says the objectives of the IT Enterprise Strategy go beyond efficiencies that translate into cost savings. The department also wants to improve cybersecurity and broaden information sharing across the Army, Air Force, Navy, and Marines.
Some of the projects are in their early stages, but most have yet to begin. "There's some pretty aggressive items in there," Takai says. But she adds: "I wouldn't call them quick wins."
As Takai has learned in her first year on the job, quick wins are hard to come by in the vast bureaucracy of the Pentagon, which at 6.5 million square feet is more than twice the size of the Empire State Building. Her IT strategy document, originally due at midyear, is arriving months later than planned. "I'm continually surprised at the steps that need to take place here," she says.
A former CIO of California, Takai was appointed DOD CIO in October 2010, and she immediately walked into a restructuring of the CIO's office (which formerly had the buttoned-up moniker of Office of the Assistant Secretary of Defense for Networks and Information Integration) and the breakup of the Joint Forces Command (which had coordinated much of the IT work that cut across miliary branches).
A year later, the plan for reorganizing the CIO office has been nearly finalized but still awaits another bureaucratic step: approval by Deputy Secretary of Defense Ashton Carter. It defines more clearly the authority of the CIO to include oversight of IT spending and implementation, as well as the CIO's relationship with three critical units: U.S. Cyber Command, which is responsible for protecting DOD networks; the Defense Information Systems Agency, or DISA, which provides IT services to the military branches; and the Office of Acquisition, Technology, and Logistics. Takai's organization will be renamed the Office of the DOD Chief Information Officer.
The CIO office reorg is part of a broad restructuring ordered last year by Robert Gates, the secretary of defense at the time, whose goal was to lower costs by eliminating redundant functions. Takai's appointment was a surprise to nearly everyone. She had neither of the qualifications one would expect for the job: a military background or experience in the federal government's senior executive service.
But Takai did have three years under her belt managing California's not-insignificant IT operations ($4 billion budget and 10,000 people), where she is credited with driving efficiency and accountability. Before that, she was CIO of Michigan and had worked in the private sector for Ford, EDS, and auto parts supplier Federal-Mogul.
Takai has two senior advisers to show her the ropes--Chief of Staff Rear Admiral Janice Hamby and Principal Deputy CIO Robert Carey, who together have years of experience in what some call simply "the building." In our interview, Takai says the size, structure, and culture of the DOD have taken some getting used to. "It's been important to learn the way the Office of the Secretary of Defense works vis-a-vis the military and how the entire structure is laid out," she says.
The DOD's IT Enterprise Strategy is one of Takai's first deliverables. It identifies 26 "lines of effort" that aim to meet three broad objectives for tech spending and implementation: efficiency, effectiveness, and security.
David DeVries, a DOD deputy CIO and project leader of the IT Enterprise Strategy, uses the term "line of effort" rather than project in describing the strategy because much of the activity involves more than a single contract. For example, the DOD wants to consolidate and optimize its many networks, not just one of them. And it wants to improve IT acquisition across its operations through broader use of enterprise licenses and deals. Other lines of effort include data center consolidation, identity management, and network security.
The IT Enterprise Strategy has its roots in former Deputy Secretary William Lynn's push last year for DOD-wide efficiencies. It took on added dimension and urgency following the publication in November 2010 of classified government documents that had been obtained by WikiLeaks. DeVries says it was a "perfect storm" for re-evaluating IT strategy across DOD's enterprise.
The IT Enterprise Strategy is the work of the DOD CIO's office (project leader DeVries reports to Takai), done in collaboration with the CIOs of the military branches and defense agencies. The Pentagon looked to the private sector in coming up with best practices as well. "We're not doing this in a vacuum," says DeVries.
Where possible, the strategy pulls in recent tech initiatives that align with its objectives, such as the Army's big enterprise email project (more on that later). The initial implementation plan, which will follow release of the IT Enterprise Strategy by a few weeks, identifies eight such projects to be carried out this year and next.
The DOD's data center consolidation initiative is also part of the strategy. At last count, the department planned to close 344 of its 772 data centers, or 45% of those facilities. An update to that plan is due any day.
For example, commercial mobile devices are high on the enterprise IT plan's new tech investment. More than 50 mobile pilot programs are under way at the DOD, ranging from use of smartphones on the battlefield to iPads for military officers. "The need runs in parallel to what the corporate world is looking at--executives who want access to the latest and greatest devices, all the way through being able to use the devices for training and in theater," Takai says.
Security over the military's unclassified NIPRnet and classified SIPRnet networks remains the big mobility hurdle. "We want to make sure we're not giving a soldier a tool that will put them at risk," says Michael McCarthy, operations director of the Army Brigade Modernization Command's Mission Command Complex. "We have to be able to harden the OS and the device itself so that we can operate all the way to classified networks and use the phone to operate mission command systems."
Under a program called Connecting Soldiers to Digital Applications, the Army is evaluating the security of mobile devices and operating systems, as well as authentication techniques such as fingerprint and facial recognition. The program has identified problems unique to the military. For example, it's difficult for soldiers to operate touch screens when wearing gloves, so the Army acquired gloves that make that easier.
Google and George Mason University are co-developing a secure, Android-based software environment for mobile devices, which the National Security Agency (part of the DOD) is working to certify. The Army has also been testing Apple's iOS--Apple is developing security features that the Army has pushed for, McCarthy says.
Army officials talk of one day letting every soldier use his or her smartphone of choice, but they aren't there yet. "I don't want to leave the impression that tomorrow we're going from secure radios to iPhones," Takai says. In fact, the Army just signed a $66 million contract for new "manpack" radios from defense contractor Harris that can be used for voice, data, and video communications, including transmissions to ensure that soldiers are capturing or detaining the right people. The radios, already used in Afghanistan, are smaller and lighter than the models they're replacing.
Just last month, the DOD stopped funding development of a next-generation radio that was part of its Joint Tactical Radio System, citing the rising costs of the device. The military had already spent $2 billion on development of the device, though it was never actually deployed. It's the kind of elephant project the DOD must get away from.
The DOD's $38.4 billion fiscal 2012 IT budget, up 4.9% from the previous year, represents 5.7% of the $670.9 billion total defense budget. The Army will consume the biggest chunk of those IT funds (26%), followed by the Navy and Marines, which manage their IT operations jointly (20%), and the Air Force (18%). About 36% of the budget goes to IT activities that span the military branches and to agencies such as the Defense Advanced Research Projects Agency (DARPA) and DISA.
It's significant that the DOD is increasing IT spending at the same time it's cutting billions from the overall budget. That's partly a spend-to-save rationale, but it's also a realization that DOD's more than 2.1 million employees need new and better technologies to do their jobs. The biggest line items in the defense IT budget are IT infrastructure ($16.5 billion); air, land, sea, and space networks ($5.7 billion); logistics ($3.1 billion), and cybersecurity ($2.8 billion).
Spending will increase this year on IT infrastructure, networks, command and control systems, and "battlespace" intelligence. It will decrease on logistics, HR and financial management, and training. The DOD is looking to optimize its IT spending through increased oversight by investment review boards, broader use of enterprise architecture, improvements in tech acquisition, and a focus on energy efficiency.
The CIOs of the military branches and agencies have been instructed to leave no stone unturned. Not long after the fiscal 2012 budget was released, Air Force CIO William Lord outlined $1.2 billion in savings to be gained over five years by consolidating data centers and telephone switchboards, optimizing networks and bandwidth, and combining the Air Force's purchasing power with other branches. But Lord's ability to drive such changes is limited by the nature of the business. More than half of the Air Force's IT budget is spent on technology that goes into weapons systems that are outside his control.
Navy CIO Terry Halvorsen last month issued a memo to his staff outlining the steps taken to improve IT efficiency at the Navy and Marine Corps. Tech purchases of $1 million or more must go through a business case analysis, then be approved by the CIO or deputy CIO. The Navy has a moratorium on purchases of data storage until it determines whether the needed capacity already exists. And it's looking to centralize enterprise licenses, telecom, and training, while evaluating services shared across military branches.
The DOD wants its tech providers to get with the agenda. For example, the manager of the Naval Enterprise Program Office instructed bidders for the Navy's multibillion-dollar Next Generation Enterprise Network contract to "be innovative to lower costs." RFPs are due in December.
The overall defense budget is subject to further cuts, including hard-hitting measures that would kick in should a congressional "supercommittee" fail to reach agreement on federal deficit reduction. "We're going to have continuing pressure on our FY 2012 and FY 2013 budgets," Takai says.
Research firm Deltek expects the DOD's IT budget to keep growing, albeit at only 1.3% annually over the next few years. The Pentagon "will have to reprioritize on need to have rather than nice to have," says Deltek analyst Deniece Peterson. "Budget constraints are definitely coming."
The DOD's spending on cybersecurity, budgeted at $2.8 billion in fiscal 2012, is flat compared with a year ago. That's surprising given the DOD's intense focus on cyber defenses and its recent decision to develop offensive cyber capabilities. However, that $2.8 billion doesn't tell the whole story. The DOD's budget includes an additional $119 million for Cyber Command and $50 million to be spent by DARPA on cyber research programs.
In testimony before Congress in April, Takai identified where some of that funding will go: public key infrastructure-based identity cards for access to the classified SIPRnet; new investment in an existing intrusion-detection application called the Host-Based Security System; expanded continuous monitoring capabilities; and improved identity management.
More has been piled on since April. In July, the DOD introduced its Strategy for Operating in Cyberspace, which identifies a handful of strategic initiatives and defines cyberspace as an "operational domain" around which it organizes and trains. That puts critical IT infrastructure on par with land, sea, air, and space when it comes to the military's attention and resources.
Last month, Army Gen. Keith Alexander--who's both commander of Cyber Command and director of the National Security Agency--took that strategy a step further. Alexander disclosed that "rules of engagement" for cyberspace have been submitted to the Pentagon's Joint Chiefs of Staff for approval. For the first time, military planners are contemplating what constitutes a cyberwar and the circumstances around which the U.S. would go on the offensive.
Takai's relationship with Cyber Command will be pivotal to the execution of these new initiatives. Based on the revised job description that awaits approval, the DOD CIO will provide "civilian oversight" and collaborate with Cyber Command on its tech investments.
"She sets policy, we do operations. I think that's the key," Alexander said a few weeks ago, when InformationWeek talked with him at an Information Systems Security Association event. "That's also part of the complication, in terms of how do we set that up." He credited Takai with facilitating dialogue among the military branches and Cyber Command about how to work as a team. "Teri has been a great person for collaboration," Alexander said.
The DOD still has work to do in articulating roles, responsibilities, and lines of communications between Cyber Command and other defense units. The Government Accountability Office, in a July report, pointed to "confusion" over command and control authorities when a major computer virus infected a DOD network. And it said the DOD faces "capability gaps" and a cyber skills shortage.
Such issues are sure to factor into planning as the military's CIOs put in their requests for next year's fiscal budget. "We have to make some decisions around where we may need expenditures from a cyber perspective," Takai says.
As the military moves toward an enterprise IT model, two initiatives in particular--data center consolidation and shared services--have some of the greatest potential for savings and new capabilities. In many cases, they will happen in tandem.
The Army, which is looking to close 75% of its 300 data centers, aligned that consolidation with its Base Realignment and Closure (BRAC) program, under which it's closing or reconfiguring dozens of facilities. As part of that work, the Army is consolidating applications and virtualizing servers. And it's transitioning its Exchange email environment--where servers are deployed and managed by internal departments--to a DISA data center, where Exchange servers are centrally managed. The Army has transitioned 230,000 users to email as a service, and it's converting others at a rate of 20,000 per week, with the goal of getting 1.6 million users on the service.
Mike Krieger, deputy CIO of the Army, notes several advantages to this approach. Users now have access to a global address list that includes everyone at the DOD. They get unlimited email storage, no longer limited to 200 MB. And the Exchange calendar function, which had been restricted to "enclaves" of users, is now all-inclusive, making scheduling easier.
The Army's switch to SaaS email is expected to save $100 million annually. Next, it plans to introduce collaboration tools as a service.
If all goes well, the DOD wants other branches to tap into DISA's email service. The Joint Chiefs of Staff is due to get it in January, and the Air Force could follow.
First, however, the Army must demonstrate that its email service can operate reliably. It was forced to put the Exchange implementation on hold for three months this past summer after encountering a series of network problems. Email traffic bogged down as improperly configured firewalls retransmitted packets, gobbling bandwidth. Other performance issues were traced to unpatched systems, an improperly configured intrusion-prevention system, and a faulty switch card.
The Army has since cleaned up those issues through attention to hardware configurations and other planning, and the migration is now going "smoothly," Krieger wrote in a recent blog post.
Change In Culture
The Army's email conversion is important for another reason. It's a test of just how far the military branches will go in sharing IT resources. Speaking at InformationWeek's Government IT Leadership Forum in Washington earlier this year, Krieger made that point in blunt military fashion. "In the past, we told DISA they couldn't do anything past the DISA point of presence outside the gate at Fort Riley," Krieger said, turning to DISA CIO Henry Sienkiewicz. "If they tried, we'd cut off their hands."
Now that DISA is the provider of its email service, Krieger said he told DISA vice director Maj. Gen. Ronnie Hawkins (since nominated to become DISA's next director) that he expects the agency to monitor the customer experience. Krieger recounted: "He said, 'Do you mean that we can go past the point of presence? Is the Army changing policy here?' And I said, yes."
There will be many ways to track the effectiveness of Takai's new IT enterprise plan--cost savings, cloud adoption, data center closings, and the level of virtualization. Key to all of that will be how many times CIOs are willing to say "yes" to new ways of working.
--With reporting by J. Nicholas Hoover