DOD’s Deputy CIO Wants to Change the Conversation on IT

When Danielle Metz became program manager for the Defense Information Systems Agency back in 2008, she didn’t know how the internet worked or what the cloud was. 

“All of that was very foreign to me,” Metz said in an interview with Nextgov. “But because I have this intellectual curiosity … and just recognize the talent that I've been blessed to be engaging with, [I] always had a true knack for the work that we've been doing.”

In 2021, Metz transitioned from acting to permanent deputy chief information officer for the information enterprise, a role in which she oversees major digital modernization projects like the Fourth Estate Network Optimization and software modernization projects. 

Nextgov caught up with Metz to talk about her goals and priorities as she moves ahead in the permanent role. 

This interview has been edited for length and clarity. 

Nextgov: Now that you’ve transitioned into your permanent role, what are your goals and priorities? What gets you going in the mornings? 

Danielle Metz: The first big thing is how we talk about IT. I really want to be able to change the conversation. I think that there's this misconception in terms of when you think of a CIO, you think of somebody who's responsible for laptops, computers, help desk. That is not what the CIO brings to the table. 

We are the bridge in terms of identifying the strategy for technical debt, legacy data centers, networks. I think we have the remarkable strategy to say, OK, here we have our landscape of these data centers that are physical data centers that do not have high compute. We cannot do any type of what we call software modernization, any DevSecOps, agile, anything. So we need to have an active plan—and this is grueling work to be able to understand your inventory of your landscape, be able to come up with discrete implementation strategies—to move from legacy to the new. 

With true collaboration, there is bound to be a lot of tension because there's a sense that someone is losing something, that they don't have control of something, and they feel that they're going to lose their ability to have a delightful customer or user experience. What you really need to be able to have is a strategy that everyone can see themselves in, that they are bought into, they feel ownership of, and that they trust. You're not going to agree on everything, but you create an environment, a working relationship, in terms of where you have mutual respect. 

I know that it seems trivial to say, hey, you're engaged with a lot of meetings, you're meeting with different people, you're understanding different perspectives, collecting that information, doing inventory. But that takes a lot of time. Because you have to build relationships, you have to understand what each perspective is and what that means and how it can connect to another. So that's a lot of groundwork that needs to be done beforehand. Part of the issue is that people get a little anxious when we're talking about these modernization activities, but we're not seeing progress, we're not seeing tangible results. It becomes a default to say we'll go after quick wins. The quick wins never really amount to something that puts you on a trajectory for that end-state vision. 

We were able to really take the time to work with those 13 organizations, their CIOs, their comptrollers to come up with a plan. We were really successful in terms of identifying a business case, what the total cost of ownership would be, the transfer of dollars, the transfer of civilians. 

Just to hit some highlights on the progress with the IT reform effort, the Fourth Estate Network Optimization—DTIC, which is the Defense Technical Information Center, next month will be in the new environment. That is exciting in and of itself. So what we started two years ago, we're now starting to see the seeds bloom. 

From an acquisition perspective, we've awarded a few contracts. The first big one was the DoDNet software catalog. This is where DISA is able to purchase all of what we call common use IT: think laptops, video teleconferencing, collaboration, capabilities, etc. So this is a consolidation of hardware and software that all the [Defense Agencies and DOD Field Activities] are able to use through DISA, and we're projecting that it's going to save about $600 million across the [Future Years Defense Program] over the next five years. That allows for the government to have better purchasing power, we're able to standardize what we're buying, and then DISA as a single service provider has the hands-on technical acumen and expertise from the desktop all the way to the enterprise. That is their responsibility. And this allows the [defense agencies and DOD field activities] to focus on their core missions, and DISA to really excel at their core mission which is delivering quality IT at the speed of relevance. 

And that's what we've postured DISA to do, we're starting to see some really amazing flourish taking place. Rarely, you get to do that in such a big strategic move. Because normally, you're only doing strategy, and then you move to the next thing. That's the transformation that's happening in the CIO, we're able to do broad-brush executive strategy but then also be a part of the implementation and help guide and steer and be what I'll call the lead facilitator across these different organizations to make it happen. It really requires a white-glove treatment. What I mean by that is to continue to nurture that trust that was built early on and to continue to have those engagements. Even though we have one victory, we're not done. It takes fortitude, the perseverance, the dedication, to really start seeing phenomenal, meaningful change. That's a real capstone for what the CIO is able to bring to the table, and how we're changing the conversation about IT. So that's on IT.

On the DTIC move to the new environment—will that be the beginning of May? End of May? 

Metz: I always like to say end of the month because we never hit the date of the first of May. Then the next one that we have up is [Defense POW/MIA Accounting Agency]. DISA also, I should have noted, went first. 

So DISA, as a single service provider, went first to make sure that they had all their processes in place that they had kind of a blueprint to be able to build upon. DTIC’s experiences will help refine that. It’s key to recognize that we're really taking a DevSecOps model. Instead of doing everyone all at once, we incrementally spiral in new capability, new customers, and we're constantly building upon those user experiences that we're feeding back into the process. The experience that DISA and DTIC have will not be the experience in terms of when DARPA goes, which is an FY24. It should be smooth sailing in terms of leveraging all of the lessons learned, the engagements, the refinement over the past 12 organizations that went before. 

Also, the Defense Enclave Services request for proposal closed back in February. Now we're in the process of reviewing the responses. We're still tracking for an award in December of this year.

You mentioned DevSecOps, so let’s talk about software. Where is DOD on working to acquire and upgrade software both at the speed of private industry, but also adversaries?

Metz: What we've been doing over the past year, in partnership with acquisition and sustainment, so DOD CIO and the [Office of the Undersecretary of Defense for Acquisition and Sustainment], is really to take a step back and figure out what’s the problem set that we were trying to tackle. 

Originally within DOD CIO, our problem set was [that] we needed to get to cloud. We had too much legacy, we didn't have the ability to have the high compute storage, the ability to do native software development in a cloud space. That was really good in terms of rallying the troops to have forward progress to not only get away from legacy but also do more enterprise-type activity.

Over the past year, we recognized that's not really hitting the mark in terms of just going to cloud for cloud’s sake. What we wanted to be able to do was to expand the problem set so that we can make sure that we were actually going to be delivering software faster to the warfighter. That is what we're calling our software modernization. It encapsulates that we have not only technical enablers, but we have business processes. Each step needs to be transformed. You can't just focus on one—all of them need to be transformed across the board in order for us to be able to really inculcate the fact that each access point is an ability to go fast. And fast not just for the sake of going fast, but to be more secure, more methodical in our quality management, how we have continuous testing, continuous authorization. 

We're breaking this mold that you have to collect requirements, you have to come up with a perfect plan, you have to implement the perfect solution, then you do your testing. By the time you do all that in the IT world, you are delivering obsolescent capability. Then you're also creating this gray IT shadow space where everyone's like, ‘I really need this, I'm going to try to figure out how to do this for my own.’ We need to be able to avoid that. 

So there's a lot of sins of the past that we're trying to correct with software modernization. We've done some pretty remarkable work in partnership with A&S, [the Office of the Director, Operational Test and Evaluation], and the military services. We have this community of practice where we bring everyone together, we're partnered with industry, we're able to have lessons learned, share experiences. We're also trying to leverage instead of everyone creating their own software factories, really being able to identify that sweet spot. One’s not the answer but nor is a proliferation of hundreds. We've designated Air Force’s Platform One as an enterprise service. So that's first choice. Navy is really taking off with the work that they're doing, so too are the Marines, a lot of [defense agencies and DOD field activities] are also in play with this.

In 2019, we had signed out this DevSecOps reference design, [that was] hundreds of pages. We knew at the moment that it was signed out, due to the staffing, it needed to be refreshed. So over the past six months, what we've done is a pivot. Instead of having this huge volume of a document, we created a continuum. It's just that it is tailored and customized based on the user skill set. For me, I'd probably be a fifth-grader reading some of their information. There are some services that are Ph.D. There are some that are really behind the power curve. 

Our goal within DOD CIO is to democratize the information to what we're calling software modernization so that everyone has an opportunity to be able to excel. We recognize that there are pockets of excellence that are taking place across the department. They're the exception, and they are exceptional. But what we really want to be able to do is feed what they've done back into the department so that everyone has that opportunity. It's not that we are waving off certain things, but we're really transforming each of our processes from funding, acquisition, testing, development, security, cybersecurity, and creating this end-to-end type spectrum so that each process is calibrated, optimized and improved upon continually so that we are able to allow for this really smart creative workforce to be able to build their software applications in the cloud and deliver incremental capability in a continuous sprint to the warfighter. 

We do all of this in order to get to that competitive edge and that competitive edge that we bring to the contested battlespace—whether it's physical or cyber—is speed. Speed to relevance to have that capability in hand. That's how we're changing the conversation of what CIO can do. We're bridging our past to the future. And there's so much to achieve between those two bookends. Everyone wants to talk about innovation. Everyone wants to complain about what we have. DOD CIO is actively changing that conversation to show how we can bridge all that and put us on a path to success. And that's what gets me excited every morning when I come to my job.

Looking at that Platform One designation, will Platform One be the only enterprise DevSecOps services team, or might others receive that designation as well? 

Metz: Oh, absolutely. Platform One a year ago, when it was designated, it was ready to take new business beyond just for the Air Force. I think we're also seeing that the Navy is coming up to speed with what they're doing. The idea is not to do for yourself, but to be able to allow for others to be able to participate. That's a change culturally within the department, too. The way that we are resourced is really very much service-specific. We have to change that in order to show that if we are going to behave and work as a joint warfighting community, we need to be able to share our resources across the board. 

The software factories are extremely expensive: They're hard to maintain, they take a lot of talent and resources. It just doesn't make sense for each organization to have their own because it's taking away from the ability to really achieve that speed. We want you to go to the factory and to start building out your applications, building out your software. You can't do that if you're starting from scratch, building your own software factory. Recognizing that there's commonality, there's always going to be uniqueness as well. But one can’t be sacrificed for the other. It's really difficult to say what that magic number is. You do know that you can't have one, [but] you can't have hundreds. 

Let’s talk about cybersecurity. Following months of SolarWinds and Microsoft Exchange intrusion news, what are some lessons learned that you can share? 

Metz: We take this very seriously. With the SolarWinds issue that was a supply chain compromise. Going back to our software modernization effort, by instilling cybersecurity and doing continuous authorization within our DevSecOps platform, we are able to ensure early on in the development of our software that we are being more secure. That is, again, another competitive advantage, because our adversaries are identifying weaknesses. If we are able to shore up early in the supply chain from a software perspective that we have security, and we're constantly, dynamically and continuously monitoring, adjusting, updating throughout the lifecycle of that software, that is how we're going to get a competitive edge. That's just one example of what we're doing within the software modernization activities. 

For the reform effort writ large, specifically for the IT, instead of having a multitude of different stovepiped networks that have a variety of different cybersecurity postures, the optimization into this new single service provider, reducing the footprint to one unclassified domain, one classified domain and having the standardization in terms of the catalog that we talked about, ensuring that we have standardization of what actually is on our network, having standard configurations, having an organization like DISA, that is the single service provider where their skill set is technology, is cybersecurity, and ensuring that they have eyes on that is another example of how seriously we're taking cybersecurity.