The DoD Joint Information Enterprise

We have a new label for describing DoD directions. It is the Joint Information Enterprise (JIE).

The Principal Deputy OSD CIO described it as follows: (1)
1. The DoD will unify its information technology assets into one common, data-centric information environment by optimizing all DoD systems to improve operational effectiveness, cyberspace security, while concurrently realizing efficiencies in response to increasing security threats and decreasing fiscal resources.
2. Consolidate data centers; Consolidate operations and management of network infrastructure; Integrate and capitalize test and integration centers; Consolidate end‐user services (email, collaboration).
3. Migrate services to private or public clouds.
4. A common network framework and standardized architecture based on a single set of standards that guarantees secured data; A common enterprise approach to deliver information as well as data services; A single identity management, role, and attribute-based access control mechanism and data strategy; Common tools; Access to required data at the point of need regardless of location or platform.
5. Common Identity Management and Attribute-based Access Control for Authentication, Identity, Attributes, Authorization/Enforcement and Audit.
6. JIE Implementation Plan will identify the fundamental tasks that must be done in order to set the foundation for the JIE on or about 1 APR 12 when the Plan will also include JIE Architecture.

SUMMARY
The DoD IT Enterprise Strategy and Roadmap does not define the organizational approach for JIE implementation except for assigning policy responsibilities to the OSD CIO.(2)  It specifies the roles of the Vice Chairman of the Joint Chiefs of Staff who directs a hierarchy of boards, including the Joint Capabilities Board (JCB) and Functional Capabilities Board (FCB), along with the processes delineated in Chairman of the Joint Chiefs of Staff Instruction (CJCSI). But none of this describes an actionable executive organization with a capacity for managing the implementation of JIE. What is missing so far is the description of the critical roles U.S Cyber Command in steering the directions of JIE.

Here are some of the tasks that will be needed for the successful execution of JIE:
1. Common, data-centric information environment: Will require full implementation of the MetaData Directory, including the imposition of shared data definitions and attributes for a DoD-wide application of the Director to over 10,000 applications. The MetaData Directory is currently managed by DISA and is far from getting completed so that all applications have data that is tagged for data-centric implementation. How this will be done and what changes in authority is required to assure full compliance of this fundamental means to proceed with data-centric systems?
2. Consolidation: With over 5,000 systems “silos” in place in DoD the task of consolidating servers will require the standardization of virtual applications into a hybrid cloud environment so that the computing capacity can be pooled for the uniform adoption of end-user services. Though such standardization is necessary for data center consolidation, its primary purpose is to allow integration of operations and management of the network infrastructure and for the establishment of end‐user services. DISA is now proceeding with the consolidation of Army e-mail services, but that is only a fraction of the potential scope of a DoD-wide consolidation effor. For instance, by what means will the Navy and the Marine Corps participate in JIE consolidations when they are already committed to a number of multi-billion stand-alone projects?
3. Cloud Migration: What organization will have the responsibility for guiding the conversion of ten thousands of applications to JIE operating as a collection of private and public clouds? Even though the management of such migrations will have to remain with Components, there will have to be an over-riding authority to assure that it can share cloud software that will assure that the DoD results are compatible. This will require shared funding of JIE projects and therefore will necessitate control over budgets. How can that be organized since the Joint Chiefs do not have the structure for controlling a large share of total DoD IT spending?
4. Common Architecture and Application Frameworks: There is an variation in available cloud technologies and services. To assure interoperability and portability of applications within public and private clouds, vendor selection as well as Application Program Interfaces will have to be defined and monitored for consistency. What organization can be assigned the responsibility do that? The OSD CIO has a relatively small policy-level staff. OSD, by legislation must serve the needs of civilian executives attached to the SECDEF. The OSD CIO does not have the charter that permits the supervision of local details that are required for the adoption of JIE tools and methods.
5. Common Network and Standard Architecture. To achieve uniformity would require oversight of the methods pursued by thousands of contractors involved both in the development of new applications as well as in upgrading legacy systems. Standard testing and development tools would have to be accepted throughout for assuring compliance with common JIE objectives. How can such a staffing arrangement be assigned within the existing structure, or will DoD require a major reorganization of the roles and missions of a shared information utility that will operate as a for-fee service?
6. Common Identity Management: This requirement is mandatory for delivering JIE security objectives. It calls for complete centralization of control of granting access privileges. It becomes one of the primary means for a secure JIE. One of the requirements will be tight integration with all of the manpower resources systems as the source of information about the authority that is defined by security roles of individuals. The organizational placement of control over access privileges would have to be shaped not by IT policy, but by national security and intelligence goals.
7. JIE Implementation Plan: The target of producing the foundation for the JIE is 1 APR 12, when it will also include JIE Architecture. That is ambitious. Although working committees have been appointed, JIE represents a major overhaul in the authorities and roles of every DoD component, which extends beyond the missions that have been always assigned to CIOs. Who will be the executive agent accountable for the delivery of such plans and for assuring that it can then evolve for rapid implementation by FT17?

The stated JIE missions represent ideas that have been gestating for at least 20 years. By coupling now the JIE Plan with military goals and the JCS, the possibility of achieving the stated goals looks promising.

So far, what seems to be missing is the governance that will guide execution. Following up on JIE progress will be our major focus in years to come.



 (1)  http://www.sussconsulting.com/documents/14Feb_0800_Carey_DOD_FedNet2012_001.pdf
 (2)  http://dodcio.defense.gov/Portals/0/Documents/Announcement/Signed_ITESR_6SEP11.pdf

Open Source Applications for Office

Open source applications are primarily catalogued in SourceForge, which is a web-based source code repository. It acts as a centralized location for software developers to control and manage free and open source software development. It hosts over 300,000 projects and has more than 2 million registered users and attracts at least thirty million visitors.
The principal supporter of open source computing in SourceForge is the Apache Software Foundation. It provides support for the Apache community of open-source software projects, which are defined by collaborative consensus and a pragmatic software license and a desire to create high quality software that leads the way in its field.
The Apache Foundation supports over 100 of major software projects. For instance the Apache open-source server supports all modern operating systems including UNIX, Microsoft Windows, Mac OS/X and Netware. It provides observing the current standards. Apache has been the most popular web server on the Internet with 65% market share.

Apache OpenOffice is free software, which means you can download it, install it for free on as many devices as you like, free to pass copies to as many users as you like. OpenOffice can be used for any purpose without any restrictions.

A free software license means never need worry whether the software is legal, or whether it will expire some day. There is no need for software audits, for keeping invoices for years, no worry about ending up in court because you misread some small print in a license agreement.
Apache OpenOffice will read and write files, which can be used in other common office software. It supports the ISO standards for office file formats. If you want to use other software, it will interface with Microsoft Windows, Apple Mac to Linux.

 Designed from the start as a single and fully integrated piece of software, Apache OpenOffice is based on the open-source development model means there are no hidden codes, but requires the “javascript” language to achieve compatibility.

It is easier (and cheaper) to move to OpenOffice from Microsoft Office than it is to upgrade to Microsoft's latest Office 2007 or Office 2010. As Microsoft updates its operating system to Windows 8 and to a new browser (Internet Explorer 10) the ability to maintain the integrity of OpenOffice applications becomes increasingly costly.

Apache OpenOffice contains all the office software in one single package. The installation includes features, which some expensive rivals do not - for example, the ability to create .pdf files when you want to guarantee what the recipient sees on their computer. There is also a growing range of extensions: additional features that any developer can provide. Releases of software take place several times a year so you can take advantage of new features as quickly as possible. OpenOffice includes the “writer – Word replacement”, “calculator – excel replacement”, “impressions, for presentations”, “draw – for graphics” as well as the “base – data application”. In effect, it provides a complete replacement for the now dominant and most profitable Microsoft Office application.

 Anyone can look at the programs and suggest improvements, or fix bugs. Anyone can report problems or request enhancements, and anyone can see the response from other users or developers. The status of current and future releases is displayed whenever one wishes to upgrade to take advantage of new features.

SUMMARY
DISA currently operates Forge.mil, which provides capabilities where developers can collaborate on open source and DoD community source applications. Forge.mil provides tools to improve the communication between teams and individuals working to solve similar problems and/or discuss similar issues. These capabilities are available only for Government authorized use.

The extent to which Forge.mil has managed to provide off-the shelf software solutions to make existing “silos” less isolated and more interoperable is not known. Apache OpenOffice is not included on Forge.mil.

Cheap Desktop Computing for the Army

If you have close to a million desktops the temptation will be to cut costs by taking one major application at a time and then proceeding with incremental consolidations into cloud services. That is what the Army is doing. They are migrating eighteen separate e-mail enclaves into a singular cloud service provided by DISA. This approach will generate savings of close $80 million/year, with the Air Force to follow subsequent to success.

One could ask if such a gradual approach is that the best way generating multi-billion IT cost reductions expected in years to come?

The slow incremental approach still leaves the Army will reliance on costly desktops and smart-phones for access to hundreds of other applications that are located on servers that support the workforce.

The Army could save more by proceeding virtualization of all of its 800,000 desktops. By cutting the configuration of costly-to-maintain desktops it could reduce five-year costs of hardware by and additional $1.6 billion. The greatest benefit would come from the reduction of infrastructure and administrative costs by $2.4 billion. The Army could accomplish this by encapsulating existing software and moving it to central cloud services.  Virtualized servers would then perform all of the configuration management, software updating and security services for desktops as well as mobile computing. When operating from a pool of virtualized servers much larger cost reductions would become available immediately.

There are additional savings available from reductions of servers in the data centers. However, the major target should be the cuts in personnel costs for maintenance of the desktop and mobile computing devices that are located at hundreds of sites where local contractors support them. It is the wide dispersion of information technology maintenance that is nowadays the greatest drain on IT budgets.

SUMMARY
As of mid-2011, at least 40% of computing workloads have been virtualized in data centers. Time has now come to extend the benefits of virtualization to end-users. Commercial firms are now making plans to scale the virtualization of desktops to thousands of widely dispersed users.

The virtual desktop infrastructure (VDI) adoption rates are growing as businesses are turning to such solutions to tackle complex desktop environments, security and compliance issues. An increasingly mobile workforce can meanwhile access their desktops even when disconnected from the network.

Time has come to reach out to the millions of user devices that operate in thousands of “silos”. They should be brought into a consolidated cloud environment where much lower costs and increased security can take place.

How Secure is G-mail?

As the General Services Administration (GSA) migrates to a Google cloud services agencies are aware that a comprehensive security strategy is essential for the adoption of cloud-based computing. GSA is in the forefront of the government’s “cloud first” strategy, which is designed to lower IT costs through the adoption of cloud-based applications. Following the identical path are: the National Oceanic and Atmospheric Administration, Air Force Weather Agency, US Forest Service and Food and Drug Administration.

The new policy requires federal agencies to identify three "must-move" IT services that can be migrated into cloud computing applications and to complete the migration in 2012.
Here are some of the Google user security features as defined for GSA:

1. Unified directory service plus single sign-on software that covers all applications;
2. Two-factor authentication that meets regulatory mandates for information security. Passwords plus smart cards are used for authentication.
3. Qualifies for Federal Information Security Management Act (FISMA) certification for a multi-tenant cloud application.
4. Standard web single sign-on using SAML 2.0 is in place.

A key issue of trusting Google services involves the question of data ownership:
1. Google does not own user data. The data, which users put into a Google data center remains exclusively with the user. Data cannot be shared with others except as noted in the Privacy Policy statement (http://www.google.com/policies/privacy/).
2. Data retained by Google as long as specified.
3. Data can be used to work with external services or can be removed altogether.
4. Data is stored in Google's network of geographically distributed data centers that form redundant clusters. There is no single point of failure.
5. Access to data centers is limited to only a few security-certified Google personnel.
6. Google Apps received an unqualified SAS70 Type II certification, with the following controls in place:
• Logical security: Logical access to Google Apps production systems and data is restricted to authorized individuals
• Privacy: Policies are in place that Google has implemented procedures addressing the privacy of customer data.
• Data center physical security: Data centers that house Google Apps data are protected
• Incident management and availability: Incidents are properly reported, responded to, and recorded
• Change management: Testing and independent code review takes place prior to release into production

SUMMARY
The security of Google G-mail public cloud must be compared with the security of a private cloud based on a proprietary solution, such a Microsoft e-mail hosted at a DoD site, such as DISA’s DECs. Differences are found in costs (much higher costs for private clouds) and in execution (quality of personnel in the public cloud is greater).

The security requirements that were set for proceeding with the private cloud for the Army eliminated G-mail as an option altogether. Features were added that were satisfied only by modifications and custom features delivered by Microsoft at no cost. No efforts were made to negotiate modifications of services with other vendors.

No vendor choices other than Microsoft were used in the evaluation of prospective suppliers, including already established vendors such as Amazon, CISCO and HP.  It remains to be seen whether the DISA choice of proceeding with a Microsoft-based private cloud will justify the elimination of G-mail or any other cloud vendor.

Potential Reductions in Personnel

According to the projected net savings from Army e-mail migration to DISA e-mail will be $76.1 million in FY13 and $78.5 million in FY14, ultimately rising to $86.9 million in FY17.(1)  Assuming that at least 60% of these savings will be in manpower, this is equivalent to elimination of about 950 FTEs. Savings will accrue mostly from manpower because server virtualization will reduce the costs of hardware.

The current Army e-mail costs (e.g. status quo) are $186.3 million in FY13, or 0.5% of the total IT budget of $38 billion. Assuming that at least half of the total IT budget, excluding the costs of communications, is made of manpower costs, this suggests that the maximum total potential manpower reductions for DoD could be as high as 95,000. That number assumes that all components are at least as inefficient as the Army. That is unlikely, but plausible for scoping purposes. A concerted effort to reduce IT costs could have an impact on manpower employment, which is mostly made up of contractors.

The Army is replacing at least eighteen different network enclaves in existence with redundant Microsoft Exchange Email systems across the globe. The large number of disparate and redundant networks, along with the high number of servers and personnel required to maintain them over the life cycle of the systems, resulted in high costs and significant operational inefficiencies. Most Army installations host their own Microsoft Exchange servers and employ a large support staff.

Whether such inefficiencies are typical for other DoD components cannot be used for estimating what could be the cost reduction consequences. However, the Army’s planned cuts are an indicator that elimination of contractor personnel may come to influence how implementation will be allowed to proceed.

SUMMARY
DoD is facing the potential of large reductions in the number of support personnel deployed in IT operations. This personnel is made up mostly of contractors, with a share operating under in set-aside contracts for small businesses. The political pressures of small firms on local Congressional delegations to curtail manpower reductions could become an obstacle in implementing proposed cost reduction plans.

(1) ENTERPRISE EMAIL, ARMY SERVICE ACQUISITION, REPORT TO CONGRESS. Feb 01, 2012

Thrifty Does It

The May 21, 2012 issue of Forbes magazine describes how tech company start-ups acquire information technologies without spending for the acquisition of IT overhead. These firms use commercial cloud services instead of setting up their own data centers.

DoD operates over two thousand small applications with annual budgets of less than one million dollars. These applications deal with short-term IT requirements or consist of pilots to demonstrate the feasibility of a computerized solution.

The availability of low cost cloud computing solutions has recently become a flood of offerings. Thought should now given to switching to deployments through Infrastructure-as-a-Service (Iaas) for small applications. Later, such approach can be scaled up to multi-billion enterprise programs.
New projects need not be encumbered with the burden of elaborate planning, cost justification, development and acquisition of computers as dictated by existing Directives. Instead, DoD should adopt the method for rapidly setting up new projects cheaply and instantly. An experimental system can be tried without much risk and for a small expense. Innovative applications can be tested and even discarded without committing to multi-year expenses. After a new project demonstrates its suitability, it can be always scaled up.

The Forbes illustrated “thrifty” computing in the following table:

The principal advantages of low-cost operations are:
1. There is no need to acquire dedicated servers. A low-cost pool of IaaS servers is readily available so that a customer is purchasing only as-needed machine cycles available from an already standard infrastructure. Purchasing servers can be justified later after the scope of the application justifies a much larger overhead.
2. The cost of data center operating personnel is already included in run-time charges.
3. E-mail and associated Office software will be available for no charges until the scale of operations rises well beyond the original scale.
4. One of the most expensive software licenses is the charge for Oracle databases. That can be rented on a per use basis.
5. Unless security issues are involved, a new application can depend on virtual Internet to establish connectivity to and from the cloud.
6. Setting up a stand-alone application involves many added security software features, usually purchased through licensing. When developing a new application reliance on a wide variety of open source applications should suffice.

Initially thrifty computing should be used primarily for applications that do not require stringent security measures. This includes human resource management (FY12 expense of $1.7 billion), administrative and financial management ($1.1 billion), health management ($1 billion) and supply management ($3 billion).

SUMMARY
Thrifty computing offers an attractive option for immediate cost reductions. Many small-scale applications, already in process of implementation, can be encapsulated for immediate virtual migration to IaaS services, which are readily available as mature and tested environment both as public as well as private offerings.

If an IaaS service already includes in its infrastructure elaborate security safeguards, adopting a thrifty approach will deliver not only immediate dollar savings but also significant gains in information assurance.