Originally published on Sept. 11, 2014.
Dave Bennett has served as CIO of the Defense Information Systems Agency since 2012, and prior to that worked in other functions at the agency. Having helped oversee, at various points, areas that include acquisition, enterprise services and command-and-control systems, it's safe to say that Bennett's background has prepared him well for DISA's evolving mission.
Bennett recently sat down with C4ISR & Networks Senior Staff Writer Amber Corrin to talk about DISA's responsibilities, emerging tech trends and what lies ahead for the agency and defense IT.
From your perspective, how have DISA's role and responsibilities changed over the past few years?
From an agency perspective, we've been delivering infrastructure and services for quite a while. That can be the network services over communications infrastructure DoD rides on, and also enterprise services. So from the end-user perspective, users can leverage capabilities from the enterprise without having to develop or host locally. From an agency perspective, we also host applications for the services and agencies so they don't have to do that themselves.
When you talk about worldwide IT services and so on, we really do cover the gamut from the standpoint of providing that infrastructure, as well as the capabilities and services, as well as the computing infrastructure that the services can leverage.
What you're seeing more and more is DISA taking a greater role at the desktop level. In the past that role really stopped at the point of presence at an installation and didn't really do anything at the desktop level, but as you look at enterprise email and things like unified capabilities (UC) and virtual desktop infrastructure, you're starting to see the agency sort of moving further into the desktop environment as part of the delivery of IT to the department. What that does for the department is it allows the services and posts, camps and stations to free up some of their resources where they don't have to stand up their own email services. It allows them to save resources and money because that's delivered from the enterprise. So we are more involved in the day-to-day work of DoD personnel – for example, with enterprise email sitting on 1.6 million desktops, we're now delivering that capability across the globe.
So what kind of benefits do those changes yield for DoD? How does it impact the daily missions of DoD personnel?
Over the years, as we've been investing in that infrastructure, it only has improved capabilities and given the department greater flexibility in allowing them to do more things and take more advantage of those capabilities. For example, the expansion of bandwidth. From an agency perspective, we've had a huge increase in bandwidth available throughout the infrastructure, which gives us greater flexibility in computing, as well as where we host capabilities at the enterprise level. In many respects it takes distance out of the equation.
We've invested in improving the core data centers to the tier 3 level, which from a reliability and availability perspective ensures the facility is able to remain up and running under adverse conditions and ensure capabilities hosted there remain available to users.
Also, leveraging remote management of capabilities and infrastructure — by doing that we're able to reduce costs and increase efficiency by having technical staff and management staff able to oversee and manage those devices and technologies around the globe from one central place within one facility. A good example is enterprise email. We're able to manage the infrastructure globally from one location inside one of our [Defense Enterprise Computing Centers] in the continental United States, which significantly reduces our costs and ensures we're managing and running our capabilities in a standard way. You're seeing the performance across the enterprise environment at one time, as opposed to 10 or 15 different sets of eyes all making their own decisions in how to manage capabilities.
Overall, moving to the cloud will give us increased flexibility, as well as an opportunity to lower costs. We're looking at a variety of approaches related to cloud computing. Obviously [that includes] milCloud, our own internal department private cloud, but we're also wanting to take advantage of commercial cloud for that publicly releasable information, and also hybrid for commercial cloud behind the DoD fence line, extending the DoD fence line around commercial capabilities. Going forward I think you're going to see a combination of all of these as a way to leverage the commercial cloud — I don't think it's going to be one solution for everything.
What's the latest with milCloud?
MilCloud went live in January; I would say we are in the early stages of implementing the capability. We have a varied list of users that are leveraging milCloud today and we are taking lessons learned from all of those scenarios to figure out what's the best way to auto-provision and give customers what they need in a seamless fashion, whether that's the computing platform or additional services such as system administrator support.
The real intent is to provide an environment where the application owner can come in and self-provision in an automated fashion and never really have to talk to someone at DISA to get the capability up and running. We're working to flesh out that process; we're not there yet, but we're working through a variety of aspects such as an automating funding document used to pay for services, for example.
Beyond commercial cloud offerings, what else are you looking to industry for in particular these days?
We've been doing it for a while, but more and more we're leveraging commercial products out of the box as opposed to adding special software to commercial products to turn it into a capabilities we want. Use of [commercial off-the-shelf versus government off-the-shelf] is shifting more to the COTS side of house, as well as leveraging more shareware or freeware available in public domain. Again, enterprise email, is a great example.
COTS isn't new; what's new about it is taking functionality as it exists in the box and not putting a special government wrapper around it to meet government requirements. What I'm seeing more and more now is the idea of changing process to take advantage of the product, as opposed to trying to change the product to satisfy existing processes.
What are some of the other emerging uses for commercial products, beyond enterprise email?
Our desktop capabilities, our SharePoint enterprise solution … commercial products are now one of the first things we look at when we identify a requirement that needs to be satisfied. Those are the capabilities we have in use today; as we go forward I think you'll see more leveraging of commercial products.
Mobility is a key aspect of providing an enterprise capability now, as well as in the future; we now have the NIPR version of mobile devices up and operational, and we're working on a classified version. That's a huge step forward leveraging commercial capabilities across the board.
With unified capabilities, we're expecting to see big movement there and leveraging commercial solutions for that is going to be an important step to ensure we get the fully integrated set of capabilities that end users are expecting and really wanting to see to enhance productivity.
Virtual desktop infrastructure is another big one. It really gives you the flexibility to have your desktop wherever it is you want to see it, and to move from platform to platform. From my perspective as CIO, one of the huge benefits is reducing the vulnerabilities of having to patch every desktop within agencies. By moving to VDI we now can really just focus on securing back-end servers and not worry about thin client or zero client sitting at the workstation of someone in the agency. That's going to be a big game changer.
You can't have a conversation about defense IT without talking about cybersecurity. How do you see cybersecurity unfolding at DISA?
There's definitely an increased focus on information assurance (IA) and cyber. Insider threat is an issue that's growing in concern as we see more scenarios of people getting access to information not intended. How we handle the insider threat issue as we move to enterprise services is something we're paying attention to. We're focusing a lot of effort on ensuring we understand who has elevated user access and for what reason, and putting lots of effort and activities in place to make sure we fully understand what that privilege user capability is, and how we're managing and monitoring that insider threat.
We're starting to look at IA from a risk perspective and making risk-based assessments versus just looking at what are the Category 1 vulnerabilities in the system. Now we're looking at the entire system and say, not only am I concerned about Category 1s, but what about other IA vulnerabilities out there? Can you group them together and create a scenario that we can't afford to allow to exist? So as we move more toward risk-based assessments, we start to look at more factors beyond just Category 1 — how are things coming together, what are other vulnerabilities out there, and how it could create opportunity to bad actor.
That's part of our move to a single security architecture. It's really to get to standard approach for how we provide that security environment at the data-center level so you fully understand what that environment looks like, and so that it's consistent throughout the [DoD network] and everybody is riding behind that so you can collapse all the different types of security solutions into one single standard approach to how we do security.
