Making software more than an 'IT thing'

Software modernization has a branding problem, and it's going to take more than the colloquial culture shift to speed up the Defense Department's adoption of modern tech capabilities.

"Part of the marketing of this is to make sure that being good at software escapes the domain of IT people and really gets thought of in the context of making us more effective at warfighting," Peter Ranks, the deputy CIO for information enterprise, told Defense Systems.

"The real challenge for the leadership, I think, is not to just latch on to the tech piece of this, but to really be willing to dig in and have the sustained focus to kind of impact culture," Ranks said.

But the bureaucracy isn't built for software's rapid development, increased demand and security needs -- something that played a major role during the Defense Department's response to tech needs spurred by the pandemic and teleworking.

"We've got folks working in a workforce lane over here, we've got instructions from Congress, we've got new acquisition authorities, we have a conversation about a color of money for software, we have lots of tools development, we have nascent conversations in places like the test community --- but it wasn't really pulled together at least from what I could see into a program of work in a highly communicative community," Ranks said.

That "communicative community" wasn't really possible before nationwide shutdowns for COVID-19 forced much of the Defense Department's workforce from secure, but latently connected, offices to their homes.

"I didn't get chat messages from these guys in the other [military] services in a way that was not actually super easy to do prior to standing up [the Commercial Virtual Remote] service," DOD's version of Microsoft Teams, Ranks said.

But the move has turned into a must-have capability that goes beyond an option in case virtual private networks failed.

"It turned out the need we were really meeting was not one of what if my infrastructure fails, it was just a gaping hole around legitimate collaboration capability, especially cross [military] service capabilities," Ranks said.

'Failure to communicate' security

Ranks said his office is focused on two major things in the next year: intersection of DevOps and cybersecurity, and tracking the DOD's progress as it adopts new tools and methods around software.

"Our security folks should be begging us to get to a DevSecOps model, but we haven't yet demonstrated how all of that data that is emitted by these tools gets turned into the type of evidence that they need in order to make their risk management decisions," Ranks said.

"That's evidence of a failure in communication" that Ranks wants to correct in fiscal 2021 with a guidance for the cyber community on how they can implement DevSecOps model, similar to the reference guide issued for developers.

Ranks first indicated the need for a security-focused guide in January before COVID-19 lockdowns took hold, with the expectation that it would be completed by the summer.

"[DOD] put out some stuff that says here are some good models to use to build DevOps pipelines. We need the companion document that shows here's how you can vouch for the security of the products of those pipelines and then all of the tooling that goes along with that," Ranks said.

"We tend to measure a lot of the effort and the input, but it's difficult for us to actually assess the impact at the other end.but we don't really have good instrumentation to measure speed and quality delivered to the end user."

Ranks said that is being worked on now so "the data that these systems can kind of naturally produce gets rolled up in a way so that we can track speed and quality."

"From a culture change perspective, security-minded perspective," said Paul Puckett, the director for the Army's enterprise cloud management office, "there's a lot of unknown -- a new methodology, a new way of doing business. But a lot of it gets to, I think, understanding kind of how cultures were created. And if we want to change cultures, we have to understand what has created these cultures."

That means rethinking the importance of checklists, audits and other compliance exercises when it comes to measuring true security.

"Can we actually assess our systems in the meantime to detect the security vulnerabilities in our environment? And then are we really assessing ourselves against our meantime to restore those security vulnerabilities to an actually a good state?" Puckett said.

The Army is tackling the security issue a little differently by partnering with Army Cyber Command and Army Network Command to fold the security community into the DevSecOps ecosystem and training, the Army's enterprise cloud director said.

"To Pete's point, the tools and the resources just are fundamentally new and so we've got to bring those people along when it comes to understanding how we manage risk in real time, leveraging new methodologies for building systems and therefore new tools for assessing our risk posture," Puckett said.

But the Defense Department's ultimate goal of overhauling its software development, fully converting to DevSecOps by 2025, can't be done without complete buy in, and assists, from the technologists inside the DOD.

Platform One: the prototype

The Defense Department is still figuring out how to market new software capabilities in a culture that is used to mandates and organizations operating independently toward a common goal rather than free-flowing collaboration.

The DOD CIO issued a memo in May directing components to use DOD's Enterprise Management Services for "existing, accredited, and supported infrastructure" such as the Air Force's Platform One as a DevSecOps provider. But the message got jumbled, Ranks said.

"I think we created some confusion there about whether or not that was intended to be a mandatory you must use this across the department -- which it wasn't," Ranks said. "But it was definitely a, 'hey, this is available and you can use it.'"

The Air Force's Platform One has become an example of the cross-pollination the DOD chief information office is aiming for with adoption by a dozen government entities, including Homeland Security, the Justice Department, Internal Revenue Service, and DOD's Joint AI Center.

The JAIC's alliterative Joint Common Foundation, which is built on Platform One will be used to help make AI and machine learning capabilities more widely available across the Defense Department.

And Ranks hopes the center's high profile will encourage others to follow.

"The JAIC is an example of an [Office of the Secretary of Defense] component who's going over and can take advantage of this Air Force program. And that could have happened without the memo we had in place, but the point of the memo I think is to make it easier for people to find those services and take advantage of them," Ranks said.

"And that means the JAIC doesn't have to do that work themselves, and they can focus on building the specific machine learning tools that they want to build on top of the regular DevOps pipeline."

But just like with anything else, the DOD CIO will have to develop ways to measure and communicate outcomes and benefits of using DevSecOps and vetted infrastructure like Platform One, if it wants to hit its 2025 goal.

"What happens when a team uses all of the tooling from the Joint Common Foundation and builds algorithms? When it comes time to deploy those things they still run into is essentially a sprawling IT infrastructure ecosystem that is not set up to accept rapid updates, rapid deployments of these tools and everything else," Ranks said.

"So then we have to ask the questions about what do I need to do from a cybersecurity perspective, what do I need to do from a test perspective in order to enable those things."

The Air Force's first chief software officer Nicholas Chaillan told FCW there was still work needed on the security front as well, particularly with the Defense Security/Cybersecurity Authorization Working Group (DSAWG), which handles accreditation review for DOD's networks. Without the group's approval, many software modernization efforts would stall.

"We still have a lot of progress to be made when it comes to the DSAWG and making sure people understand zero trust," Chaillan said.

The chief software officer said the Air Force would help with producing training content to up folks' education and training on cloud security, including guidance on using the continuous authority to operate for authorizing officials, their teams, and cyber teams.

"There's a lot of education to be made and we'll bring on a lot of training content to help people understand. So one of the engagements of the DSAWG to bring guidance for the continuous ATO both for the authorizing officials and for their teams and their cyber teams to understand it better and really remove the fear."

And removing that fear could save the department time and money, he argues.

"I find we have the right people and the right involvement. I think sometimes there's a lack of urgency and it feels like we're still moving a little bit too slow and that's what I want to do a little bit better at," Chaillan said.

"We saved about a hundred years of program time in the Air force just moving to DevSecOps in one year, so the timeliness value there is incredible."

This article first appeared on FCW, a Defense Systems partner site.