Making software more than 'IT thing'

Software modernization has a branding problem, and it's going to take more than the colloquial culture shift to speed up the Defense Department's adoption of modern tech capabilities, according to Deputy CIO Peter Ranks.

Pentagon photo by Air Force Tech. Sgt. Ned T. Johnston
 

Software modernization has a branding problem, and it's going to take more than the colloquial culture shift to speed up the Defense Department's adoption of modern tech capabilities.

"Part of the marketing of this is to make sure that being good at software escapes the domain of IT people and really gets thought of in the context of making us more effective at warfighting," Peter Ranks, the deputy CIO for information enterprise, told FCW.

"The real challenge for the leadership, I think, is not to just latch on to the tech piece of this, but to really be willing to dig in and have the sustained focus to kind of impact culture," Ranks said.

But the bureaucracy isn't built for software's rapid development, increased demand and security needs -- something that played a major role during the Defense Department's response to tech needs spurred by the pandemic and teleworking.

"We've got folks working in a workforce lane over here, we've got instructions from Congress, we've got new acquisition authorities, we have a conversation about a color of money for software, we have lots of tools development, we have nascent conversations in places like the test community --- but it wasn't really pulled together at least from what I could see into a program of work in a highly communicative community," Ranks said.

That "communicative community" wasn't really possible before nationwide shutdowns for COVID-19 forced much of the Defense Department's workforce from secure, but latently connected, offices to their homes.

"I didn't get chat messages from these guys in the other [military] services in a way that was not actually super easy to do prior to standing up [the Commercial Virtual Remote] service," DOD's version of Microsoft Teams, Ranks said.

But the move has turned into a must-have capability that goes beyond an option in case virtual private networks failed.

"It turned out the need we were really meeting was not one of what if my infrastructure fails, it was just a gaping hole around legitimate collaboration capability, especially cross [military] service capabilities," Ranks said.

'Failure to communicate' security

Ranks said his office is focused on two major things in the next year: intersection of DevOps and cybersecurity, and tracking the DOD's progress as it adopts new tools and methods around software.

"Our security folks should be begging us to get to a DevSecOps model, but we haven't yet demonstrated how all of that data that is emitted by these tools gets turned into the type of evidence that they need in order to make their risk management decisions," Ranks said.

"That's evidence of a failure in communication" that Ranks wants to correct in fiscal 2021 with a guidance for the cyber community on how they can implement DevSecOps model, similar to the reference guide issued for developers.

Ranks first indicated the need for a security-focused guide in January before COVID-19 lockdowns took hold, with the expectation that it would be completed by the summer.

"[DOD] put out some stuff that says here are some good models to use to build DevOps pipelines. We need the companion document that shows here's how you can vouch for the security of the products of those pipelines and then all of the tooling that goes along with that," Ranks said.

"We tend to measure a lot of the effort and the input, but it's difficult for us to actually assess the impact at the other end.but we don't really have good instrumentation to measure speed and quality delivered to the end user."

Ranks said that is being worked on now so "the data that these systems can kind of naturally produce gets rolled up in a way so that we can track speed and quality."

"From a culture change perspective, security-minded perspective," said Paul Puckett, the director for the Army's enterprise cloud management office, "there's a lot of unknown -- a new methodology, a new way of doing business. But a lot of it gets to, I think, understanding kind of how cultures were created. And if we want to change cultures, we have to understand what has created these cultures."

That means rethinking the importance of checklists, audits and other compliance exercises when it comes to measuring true security.

"Can we actually assess our systems in the meantime to detect the security vulnerabilities in our environment? And then are we really assessing ourselves against our meantime to restore those security vulnerabilities to an actually a good state?" Puckett said.

The Army is tackling the security issue a little differently by partnering with Army Cyber Command and Army Network Command to fold the security community into the DevSecOps ecosystem and training, the Army's enterprise cloud director said.

"To Pete's point, the tools and the resources just are fundamentally new and so we've got to bring those people along when it comes to understanding how we manage risk in real time, leveraging new methodologies for building systems and therefore new tools for assessing our risk posture," Puckett said.

But the Defense Department's ultimate goal of overhauling its software development, fully converting to DevSecOps by 2025, can't be done without complete buy in, and assists, from the technologists inside the DOD.

Platform One: the prototype

The Defense Department is still figuring out how to market new software capabilities in a culture that is used to mandates and organizations operating independently toward a common goal rather than free-flowing collaboration.

The DOD CIO issued a memo in May directing components to use DOD's Enterprise Management Services for "existing, accredited, and supported infrastructure" such as the Air Force's Platform One as a DevSecOps provider. But the message got jumbled, Ranks said.

"I think we created some confusion there about whether or not that was intended to be a mandatory you must use this across the department -- which it wasn't," Ranks said. "But it was definitely a, 'hey, this is available and you can use it.'"

The Air Force's Platform One has become an example of the cross-pollination the DOD chief information office is aiming for with adoption by a dozen government entities, including Homeland Security, the Justice Department, Internal Revenue Service, and DOD's Joint AI Center.

The JAIC's alliterative Joint Common Foundation, which is built on Platform One will be used to help make AI and machine learning capabilities more widely available across the Defense Department.

And Ranks hopes the center's high profile will encourage others to follow.

"The JAIC is an example of an [Office of the Secretary of Defense] component who's going over and can take advantage of this Air Force program. And that could have happened without the memo we had in place, but the point of the memo I think is to make it easier for people to find those services and take advantage of them," Ranks said.

"And that means the JAIC doesn't have to do that work themselves, and they can focus on building the specific machine learning tools that they want to build on top of the regular DevOps pipeline."

But just like with anything else, the DOD CIO will have to develop ways to measure and communicate outcomes and benefits of using DevSecOps and vetted infrastructure like Platform One, if it wants to hit its 2025 goal.

"What happens when a team uses all of the tooling from the Joint Common Foundation and builds algorithms? When it comes time to deploy those things they still run into is essentially a sprawling IT infrastructure ecosystem that is not set up to accept rapid updates, rapid deployments of these tools and everything else," Ranks said.

"So then we have to ask the questions about what do I need to do from a cybersecurity perspective, what do I need to do from a test perspective in order to enable those things."

The Air Force's first chief software officer Nicolas Chaillan told FCW there was still work needed on the security front as well, particularly with the Defense Security/Cybersecurity Authorization Working Group (DSAWG), which handles accreditation review for DOD's networks. Without the group's approval, many software modernization efforts would stall.

"We still have a lot of progress to be made when it comes to the DSAWG and making sure people understand zero trust," Chaillan said.

The chief software officer said the Air Force would help with producing training content to up folks' education and training on cloud security, including guidance on using the continuous authority to operate for authorizing officials, their teams, and cyber teams.

"There's a lot of education to be made and we'll bring on a lot of training content to help people understand. So one of the engagements of the DSAWG to bring guidance for the continuous ATO both for the authorizing officials and for their teams and their cyber teams to understand it better and really remove the fear."

And removing that fear could save the department time and money, he argues.

"I find we have the right people and the right involvement. I think sometimes there's a lack of urgency and it feels like we're still moving a little bit too slow and that's what I want to do a little bit better at," Chaillan said.

"We saved about a hundred years of program time in the Air force just moving to DevSecOps in one year, so the timeliness value there is incredible."

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.