The Voice of Military Communications and Computing
Air Force IT and Netcentric Acquisition Guide
Connectivity Provider Maj. Gen. Craig S. Olson PEO C3I and Networks Air Force
On the Move Comms O COMSEC Hub O Software Complexity Cloud Security
www.MIT-kmi.com
C4
November 2013
Volume 17, Issue 8
Military Information Technology
2014
Editorial Calendar February [18.1]
March [18.2]
April [18.3]
May [18.4]
June [18.5]
Q&A: Lt. Gen. Edward Cardon Commander Army Cyber Command Special Section: Cyber Features: Big Data Infrastructure Modernization Enterprise Licenses Tradeshows: Cyberspace February 4 AUSA Winter February 19 Closing Date: January 17
Q&A: Director DISA COMSATCOM Center Special Section: Satellite Industry Guide Features: Telecom Contracts Mobile Devices Insider Threats Tradeshows: Satellite March 10 Closing Date: February 24
Q&A: Brig. Gen. Kevin Nally Marine Corps CIO Special Section: Tactical Networking Features: Rugged Hardware Social Media Computer Forensics Tradeshows: Sea/Air/Space April 7 Closing Date: March 21
Q&A: Commander Army NETCOM Special Section: Data Center Consolidation Education issue Features: ID Management Optical Networking Tactical SATCOM Tradeshows: Joint Warfighting Conference May Closing Date: April 25
Q&A: Rear Adm. Marshall Lytle Director, C4 Systems & CIO U.S. Cyber Command Special Section: Joint Information Environment Features: 4G Innovations Software Development Terminals Tradeshows: Cyber Symposium June Closing Date: May 30
July/August [18.6]
September [18.7]
October [18.8]
November [18.9]
December [18.10]
Q&A: Lt. Gen. Michael J. Basla Chief, Information Dominance and Chief Information Officer Special Section: Air Force Air Force Services Guide Features: Airborne Networks Storage Unified Capabilities Tradeshows: Air/Space Sept. 16 Closing Date: July 10
Q&A: Maj. Gen. Alan Lynn Vice Director DISA Special Section: DISA Guide Features: Network Integration Evaluation Virtualization IT Certification Tradeshows: DISA Forecast to Industry Closing Date: August 15
Q&A: Army CIO Special Section: Enterprise Email Features: Antennas Cyber Ranges Encryption Tradeshows: AUSA Oct. 13 Closing Date: September 24
Q&A: Director Joint Tactical Networking Center Special Section: Radios Features: Video Teleconferencing Spectrum Network Monitoring Tradeshows: MILCOM Closing Date: October 31
Q&A: Adm. William E. Leigher Director of Warfare Integration for Information Dominance Navy Special Section: Naval Networks Features: Cross Domain Solutions Collaboration WIN-T Tradeshows: AFCEA West (2015) Closing Date: December 12
*Bonus Distribution This editorial calendar is a guide. Content is subject to change. Please verify advertising closing dates with your account executive.
military information technology Features
10
November 2013 Volume 17, Issue 8
Cover / Q&A
Ramping Up Cloud Security
Standards are important, but cloud security assurance also depends on the relationship between cloud provider and DoD customer. By Peter Buxbaum
20
Air Force IT and Netcentric Acquisition Guide
Ordering guide assists Air Force personnel in acquiring IT and netcentric products, services and solutions in accordance with current Air Force mandatory use procedures, policies and guidance.
16 Major General Craig S. Olson
5
Vehicle SATCOM
The Army is working on the Distributed/ Embedded Standard SATCOM On-The-Move Terminal Architecture, which calls for several smaller terminals and antennas to be located around a vehicle in order to make sure that the vehicle has access to a satellite at any given time. By Peter Buxbaum
8
13
23
At its three-year mark, the Project Director, Communications Security (PD COMSEC) within the Program Executive Office for Command, Control and CommunicationsTactical has become the Army’s central hub for communications security standardization and funding efficiencies. By Meg Carpenter
The government should require that contractors establish effective cybersecurity programs, and penalize those that do not, a senior federal official argues. By Richard A. Russell
The U.S. military is increasingly turning to software to further power its nextgeneration capabilities. As it does so, it needs an approach that starts with deep analytics and drives toward a sustainable IT application blueprint. By Christian Hagen and Jeff Sorenson
Communications Security Hub
Departments 2 Editor’s Perspective 3 program notes 4 People 14 data bytes 26 COTSacopia 27 Resource Center
Accountability in Cyberspace
Fixing Software Complexity
Industry Interview Brian R. Fogg
Vice President, Technology Support Office Chief Technology Officer
28
Program Executive Officer for C3I and Networks Air Force
“I like to focus on the “lightning bolts,” which are the connectivity of assets in each domain. If you think about horizontal and vertical integration of war fighting assets in all the domains, we at PEO C3I&N provide the lightning bolts.” —Major General Craig S. Olson
EDITOR’S PERSPECTIVE
Military Information Technology Volume 17, Issue 8 • November 2013
The Voice of Military Communications and Computing Editorial Managing Editor Harrison Donnelly harrisond@kmimediagroup.com Online Editorial Manager Laura McNulty lauram@kmimediagroup.com Copy Editor Sean Carmichael seanc@kmimediagroup.com Correspondents Peter Buxbaum • Cheryl Gerber Karen E. Thuermer
Art & Design Art Director Jennifer Owers jennifero@kmimediagroup.com Senior Graphic Designer Jittima Saiwongnuan jittimas@kmimediagroup.com Graphic Designers Scott Morris scottm@kmimediagroup.com Eden Papineau edenp@kmimediagroup.com Amanda Paquette amandak@kmimediagroup.com Kailey Waring kaileyw@kmimediagroup.com
Advertising Account Executive Patrice Lucid patricel@kmimediagroup.com
KMI Media Group Chief Executive Officer Jack Kerrigan jack@kmimediagroup.com Publisher and Chief Financial Officer Constance Kerrigan connik@kmimediagroup.com Executive Vice President David Leaf davidl@kmimediagroup.com Editor-In-Chief Jeff McKaughan jeffm@kmimediagroup.com Controller Gigi Castro gcastro@kmimediagroup.com Trade Show Coordinator Holly Foster hollyf@kmimediagroup.com
By any standard, 2013 was a year marked by turmoil in spending for military and other federal information technology spending. The reductions created by sequestration and the government shutdown led to program delays and cutbacks, upset and confusion in the workforce, and extreme uncertainty among contractors. New projections from the immixGroup, however, offer a ray of hope for the year to come. To be sure, the prospects are cloudy, given that agencies will be operating under stopgap funding measures, and further sequestration is likely unless current budget caps are lifted. The total federal IT budget request for fiscal 2014 represents a 1.8 percent increase over last year, although that obvi- Harrison Donnelly Editor ously could be less once the dust settles. The positive spin on the year comes from the perception that the Department of Defense and other agencies are going to have to invest in new technologies such as analytical tools and cloud computing in order to achieve overall savings. As DoD moves to the overarching Joint Information Environment, for example, agencies will need to address challenges and opportunities in such areas as data storage, infrastructure consolidation and mobility. “Defense agencies are capturing enormous amounts of data that needs to be managed, tagged, stored and accessed,” said Tim Larkins, Market Intelligence Manager at immixGroup. “Storage, business intelligence and business analytics, high performance computing, enterprise search, and data management tools will all be important investments.” As examples of programs supporting these trends, the report cites the Army’s Warfighter Information Network-Tactical, Air Force investments in improving tactical data links, the Navy’s Next Generation Enterprise Network, and the Defense Information Systems Agency’s Global Command and Control System-Joint. “Despite the clear theme of reduced spending, these emerging technologies will see greater investment across both defense and civilian agencies,” said Larkins. So while the overall picture is still pretty tight, there are opportunities in 2014 for program managers and industry partners who can show that investments in improved technology can improve operational efficiency and reduce overall costs.
Operations, Circulation & Production Operations Administrator Bob Lesser bobl@kmimediagroup.com Circulation & Marketing Administrator Duane Ebanks duanee@kmimediagroup.com Circulation Barbara Gill barbg@kmimediagroup.com Data Specialists Raymer Villanueva raymerv@kmimediagroup.com
KMI MedIa Group LeadershIp MaGazInes and WebsItes Border & CBRNE Defense
Ground Combat Technology
Geospatial Intelligence Forum
Military Advanced Education
Military Information Technology
Military Logistics Forum
www.GCT-kmi.com
www.GIF-kmi.com
www.MAE-kmi.com
www.MIT-kmi.com
www.MLF-kmi.com
Navy Air/Sea PEO Forum
Special Operations Technology
Tactical ISR Technology
U.S. Coast Guard Forum
www.TISR-kmi.com
www.CGF-kmi.com
Border Threat Prevention and CBRNE Response
A Proud Member of SPECIAL SECTION:
Integrated Fixed Towers
Subscription Information Military Information Technology
ISSN 1097-1041 is published 9 times a year by KMI Media Group. All Rights Reserved. Reproduction without permission is strictly forbidden. © Copyright 2013. Military Information Technology is free to qualified members of the U.S. military, employees of the U.S. government and non-U.S. foreign service based in the U.S. All others: $65 per year. Foreign: $149 per year.
Border Protector
www.BCD-kmi.com
June 2012 Volume 1, Issue 1
Michael J. Fisher Chief U.S. Border Patrol U.S. Customs and Border Protection
Leadership Insight: Robert S. Bray Assistant Administrator for Law Enforcement Director of the Federal Air Marshal Service Transportation Security Administration
Wide Area Aerial Surveillance O Hazmat Disaster Response Tactical Communications O P-3 Program
www.BCD-kmi.com
Military Medical Military Training & Veterans Technology Affairs Forum
Corporate Offices KMI Media Group 15800 Crabbs Branch Way, Suite 300 Rockville, MD 20855-2604 USA Telephone: (301) 670-5700 Fax: (301) 670-5701 Web: www.MIT-kmi.com www.M2VA-kmi.com
www.MT2-kmi.com
www.NPEO-kmi.com www.SOTECH-kmi.com
PROGRAM NOTES
Compiled by KMI Media Group staff
Email Migration
Cyber Grand Challenge The Defense Advanced Research Projects Agency (DARPA) has announced plans to hold the first-ever tournament for fully automatic network defense systems. In the Cyber Grand Challenge, DARPA envisions teams creating automated systems that would compete against each other to evaluate software, test for vulnerabilities, generate security patches and apply them to protected computers on a network. To succeed, competitors must bridge the expert gap between security software and cuttingedge program analysis research. The winning team would receive a cash prize of $2 million. “DARPA’s series of vehicle grand challenges were the dawn of the self-driving car revolution,” said Mike Walker, DARPA program manager. “With the Cyber Grand Challenge, we intend a similar revolution for information security. Today, our time to patch a newly discovered security flaw is measured in days. Through automatic recognition and remediation of software flaws, the term for a new cyber attack may change from zero-day to zero-second.” Highly trained experts capable of reasoning about software vulnerabilities, threats and malware power modern network defense. These experts compete regularly on a global “Capture the Flag” tournament circuit, improving their skills and measuring excellence through
head-to-head competition. Drawing on the best traditions of expert computer security competitions, DARPA aims to challenge unmanned systems to compete against each other in a real-time tournament for the first time. “The growth trends we’ve seen in cyber attacks and malware point to a future where automation must be developed to assist IT security analysts,” said Dan Kaufman, director of DARPA’s Information Innovation Office, which oversees the challenge. Drawing on the best traditions of expert computer security competitions, DARPA aims to challenge unmanned systems to compete against each other in a real-time tournament for the first time. The competition is expected to draw teams of top experts from across a wide range of computer security disciplines including reverse engineering, formal methods, program analysis and computer security competition. DARPA intends to invite a select group of top competitors from the qualifying event to the Cyber Grand Challenge final event, slated for early to mid-2016. In that competition, each team’s system would automatically identify software flaws, scanning the network to identify affected hosts. Teams would score based on how capably their systems could protect hosts, scan the network for vulnerabilities and maintain the correct function of software.
http://www.darpa.mil/uploadedImages/Content/NewsEvents/Releases/2013/CGC_Stacked_ColoronBlack.jpg[11/4/2013 12:30:28 PM]
The staffs of the Office of the Secretary of Defense (OSD) and U.S. Southern Command (SOUTHCOM) have joined the more than 1.4 million users of DoD Enterprise Email (DEE), the Defense Information Systems Agency’s private, cloud-based email service. More than 10,000 OSD staff email accounts and an additional 2,000 SOUTHCOM users were recently migrated to DEE, which is scaled to support 4.5 million Department of Defense users. “Our primary focus is to provide a reliable and accessible service for our mission partners, regardless of their geographic location or agency affiliation,” said Paul Crumbliss, program manager for DEE. As a facet of the Joint Information Environment, DEE consolidates traditional segmented email systems into a singular solution, facilitating operational and financial efficiencies. DEE’s Global Address List contains the professional contact information for every Common Access Card holder in DoD, and the ability to share, view and validate calendar information. Additionally, DEE eliminates costs associated with redundant email infrastructures, freeing up agency resources to focus on other mission critical functions within their organization. Last month, DoD Chief Information Officer Teri Takai designated DEE as an enterprise service, and directed all DoD components to develop a DEE implementation plan within 120 days.
Cloud Competition Setting up a competition between industry powerhouses Microsoft and Google, the Army has established two blanket purchase agreements (BPA) to provide email, collaboration, information sharing and mobile access through commercial cloud services. The BPAs are intended for use by organizations unable to participate in Defense Enterprise Email (DEE), including portions of the Army Recruiting Command and the Army Corps of Engineers. Through the agreements, Dell Federal Systems will provide a solution based on Microsoft Office 365, while DLT Solutions will provide a Google Apps for Government solution. The agreements also provide users with document storage, enterprise content management and unified capabilities. There is also an option for records management and digitally signed and encrypted email. Led by the Computer Hardware, Enterprise Software and Solutions program office within the Program Executive Office Enterprise Information www.MIT-kmi.com
Systems, the agreements were competed against the existing General Services Administration (GSA) email as a service agreements. The competition enables the Army to build on the past efforts of GSA, enhancing terms and unique Department of Defense security requirements, while maximizing the buying power of DoD for current and future requirements. The agreements were developed in coordination with the Army chief information officer and DoD Enterprise Software Initiative, and will maintain identity management as a government function, leveraging the existing Defense Information Systems Agency solution. The award of the base agreement and initial order is the first critical step toward meeting the DoD cloud computing strategy goal of using commercial cloud services in the department’s multi-provider enterprise cloud environment. The contract has a one-year base period with four one-year options. MIT 17.8 | 3
PROGRAM NOTES Cybersecurity Study Probes the Human Element The Army Research Laboratory (ARL) has established a collaborative research alliance (CRA) bringing together ARL, Army CommunicationsElectronics Research, Development and Engineering Center, academia, and industry researchers to explore the basic foundations of cyber-science issues in the context of Army networks. A cooperative agreement was awarded recently to a consortium led by Pennsylvania State University, and including Carnegie Mellon University, Indiana University, the University of California at Davis, and the University of California Riverside. The Army will fund the alliance for five years with an optional five-year renewal at $3.3 million to $5.2 million annually. “The CRA gives us an opportunity to jointly advance the theoretical foundations of a science of cybersecurity in the context of Army networks. Such a science will eventually lead to network defense strategies and empirically validated tools. Substantial interactions and staff rotations between domain experts and scientists across the consortium and ARL will be vital to enable the joint research that will ensure the success of the program,” said Ananthram Swami, Ph.D., who was recently announced as ARL’s collaborative alliance manager for the cybersecurity CRA. ARL has identified three interrelated aspects of cybersecurity to explore, as well as a cross-cutting psychosocial perspective that takes into account the human element of the network. The study of the human element is a particularly distinctive aspect of the research, officials said. Each of the three research focus areas—risk, detection and agility—must take into account the people behind the cyber actions—the human attackers, cyberdefenders and end users.
4 | MIT 17.8
Compiled by KMI Media Group staff
Waveform Demo Tests Protected Communications A recent demonstration has proved that sensitive data could be passed through small, lowcost satellite terminals using an unclassified but secure waveform. A benefit of this approach, according to contractor Raytheon, would be that front-line tactical users, such as forward deployed forces or remotely piloted aircraft, could execute missions more securely and reliably than is now done in environments where communications can be jammed. Using a modem that is significantly smaller and less expensive, the demonstration involved showing key elements of the protected tactical waveform similar to Advanced Extremely High Frequency (AEHF), one of the military’s most complex. Raytheon leveraged its position as the only provider of AEHF satellite terminals to three branches of the military to show
that it can provide an affordable protected tactical solution. Key cost benefits and modem features were identified and demonstrated allowing for flexibility across frequency bands that will provide tactical users the communications protection they need at affordable prices using existing and future satellites. The new tactical waveform can operate on a variety of bands including Q, X and Ka. It provides secure, anti-jam, low probability of intercept capabilities not available today on unprocessed or unprotected satellites. The waveform demonstration marks the first of three phases under an Air Force study known as the Design for Affordability and Risk Reduction. Raytheon was one of two companies, along with L-3 Communication Systems-West, chosen to help the government chart the course for future protected military satellite communication terminals.
PEOPLE Lieutenant General Susan Lawrence stepped down as Army chief information officer/G-6. Retiring after four decades of Army service, she turned over her responsibilities to Deputy CIO Mike Krieger on an acting basis. Kratos Defense & Security Solutions has hired Vice Admiral Gerald Beaman (Ret.) as president of its newly established Unmanned Combat Aerial Systems Division. Beaman will also oversee major strategic programs for Kratos. Jo A. Decker has joined General Dynamics Information Technology as vice president of Navy/Marine Corps accounts. Decker previously served
Compiled by KMI Media Group staff
as acting principal deputy assistant secretary of the Navy financial management and comptroller, where she oversaw accounting and finance operations and programs for the Department of the Navy.
direction in public sector markets and be responsible for sales and customer satisfaction for federal, state and local governments.
Bill Perlowitz Michael Maiorana
Verizon has named Michael Maiorana as senior vice president of public sector markets for Verizon Enterprise Solutions, succeeding Susan Zeleniak. Maiorana will lead Verizon’s strategic
STG has hired Bill Perlowitz to serve as senior vice president and chief technology office, with responsibilities for the conception, development and implementation of STG’s technical vision, communities of practice, and solutions.
www.MIT-kmi.com
On-the-move communication has worked so well that the
Army wants to embed it in
heavy weaponized platforms.
By Peter Buxbaum, MIT Correspondent
the Army is investigating now is how such a distributed architecture Satellite communications-on-the-move technology has revolucould be integrated on heavy weaponized vehicles. To that end, the tionized how U.S. warfighters take the battle to the enemy. Satellites Army’s Communications-Electronics Research, Development and provide commanders and warfighters with ubiquitous broadband Engineering Center (CERDEC) issued a request for information to connections to networks and systems. industry earlier this year. Before an on-the-move capability was developed, SATCOM had “We first started developing SATCOM on the move as a to be conducted on the halt. Now warfighters have access to ubiqresult of lessons learned from Desert Storm,” said Jim Gallagher, uitous and high-throughput SATCOM at up to 55 miles per hour, CERDEC’s project lead for SATCOM on the move. “During Desert allowing them greater speed, mobility and flexibility. Storm, we moved so fast that we outran our capabilities. We are a SATCOM on the move has provided such an advantage that the much more mobile and faster fighting force than we had been prior Army wants to take it to the next level by equipping more weaponto that conflict.” ized vehicles with SATCOM on-the-move capabilities. Here they run Before the on-the-move capability was developed, into a problem, however, because other equipment SATCOM had to be conducted at the halt. “You had resident on the platform can block the satellite sigto set up a headquarters and the equipment,” said nal, both physically and electronically. Gallagher. “What we are working towards now is to The Army wants to solve the problem with what be able to integrate SATCOM on the move on every it calls the Distributed/Embedded Standard SATCOM platform type.” On-The-Move Terminal Architecture (DESSTA). “Regular forces haven’t had the luxury of having DESSTA calls for several smaller terminals and SATCOM on their vehicles,” said Blake Nelson, techantennas to be located around a vehicle in order to nical operations manager at BAE Systems. “Technolmake sure that the vehicle has access to a satellite at ogy has moved on to the point where it is now easier any given time. to provide that capability.” DESSTA also proposes standardizing SATCOM Blake Nelson “One of the key problems associated with armored equipment-vehicle interfaces and modularizing onvehicles is that they are crowded with equipment, so you always the-move equipment so that they can easily be swapped out. bump up against weight, size and power limits,” said Tom Saam, The technology allowing for a distributed architecture has a systems engineer at Harris. “That’s why putting more things on already been developed. In fact, the Navy uses an analogous system vehicles is always a challenge.” for ensuring that vessels are always connected to satellites. What www.MIT-kmi.com
MIT 17.8 | 5
Integrated Display
when there is a blockage. “The mediator senses when antenna ‘A’ can’t see the satellite anymore and switches the communications to antenna ‘B,’” One approach to this problem is to allow the reuse said Fuchs. “The switch is fairly transparent. We do of equipment that is already located on the vehicle. a few things, mainly buffering the signals, to keep “You would want to integrate the new system into the the sessions alive during the momentary switchover. existing display rather than adding another display,” The Navy and Army each have unique requirements, said Saam. but the Army can probably learn from what the Navy What the Army is trying to accomplish is similar has done.” to what the Navy has already done, noted Karl Fuchs, Harris has demonstrated all of the aspects of the vice president of engineering at iGT. “When vessels technology CERDEC is seeking, according to Saam, make a turn, the superstructure can momentarily Karl Fuchs and is ready to go to the next level of prototyping. block an antenna. The way the Navy fixes that prob“Placing multiple apertures on vehicles can not only solve the lem is to have dual antennas, one on each side of the superstructure, problem of blockages, but can also do some less obvious things,” he so they can do an automatic hand-off if one antenna experiences added. “You can also combine apertures so that only one is transmita blockage.” ting but all are attempting to receive, or vice versa.” “The reason the Army has a requirement to provide SATCOM on Harris developed what it calls Adaptive Coherent Aperture the move to some of its armored vehicles is that the current solution Combining (ACAC) to solve the problem of small terminal antennas is inadequate,” said Gallagher. “We are attempting to find a solution requiring a relatively high power density downlink from the satelfor them by taking this next step. Current SATCOM on the move lite, which consumes a disproportionate amount of transponder is deficient because of the blockages they are experiencing. We are power with respect to bandwidth. going to make every effort to solve that problem.” “Because ACAC combines rather than switches, net antenna As part of this quest for a solution CERDEC is conducting a trade gain is gracefully degraded when one or more elements are blocked study along with the Army Tank, Automotive Research, Development or fail,” said Saam. “I foresee a spiraling of these technology capaand Engineering Center to look at high-demand weaponized vehicles bilities. ACAC can first be applied as a distributed aperture solution that would need a SATCOM on-the-move capability. to solve the problem of blockages, and then can be enhanced to “We are working with platform developers on how to integrate a allow for the combining of apertures.” distributed aperture solution on those vehicles,” said Gallagher. “A Saam believes that the combination approach is superior to lot of it has to do with whether there is a weapon on the vehicle that simply switching transmissions from one aperture to another. could block communications. We are trying to come up with a way “Combining has a number of advantages over switching, among of maintaining communications on the move for vehicles that have them that you can get more surface area for the antennas and thereblockages to their communications systems.” fore more gain and higher data rates. It also allows for nulling out Although blockages can occur as a result of both physical impediinterfering signals be they jammers or friendly.” ments to the communications system and electronic interference, “What we are studying now are the integration, safety and ecothe CERDEC project is focusing on physical blockages. “Often the nomic issues involved in placing multiple apertures in a vehicle,” weapon turret can block the view of the satellite,” said Gallagher. “We said Gallagher. “We realize that it could be an expensive proposition saw this even with weaponized HMMWVs in the desert. We are lookto put four apertures and an antenna controller for each vehicle, so ing at the concept of distributing SATCOM equipment around the we are also looking at how we can do this cost effectively.” vehicle so that at least one aperture would have a view of the satellite.” That is one of the rationales behind the quest for a standard The good news for CERDEC is that satellite equipment has SATCOM on the move architecture. “Standardization would allow become smaller and lighter in recent years, allowing for multiple any aperture builder in the world to develop and deliver apertures apertures to be placed around a vehicle. “Equipment that four years for these vehicles,” said Gallagher. “More competition tends to drive ago was bulky and weighed between 10 and 20 pounds now weighs prices down. Once we have formulated those baseline architectures less than a pound and measures 3 by 9 by 2 inches,” said Nelson. and integration schemes for the vehicles, we can go to industry “Not only are they space and weight savers, but they work a whole with a request for proposals to build a prototype which incorporates lot better too.” those standards.” Distributing antennas and terminals on a vehicle can ensure greater communications reliability, according to Nelson. “If two guys are trying to communicate over SATCOM, there is good potential Standardization and Modularization that one will knock the other off the network,” he said. “You don’t find that out until the person on the other end doesn’t hear you. The Other recent innovations in SATCOM on-the-move equipproper placement of antennas and terminals is how you prevent that ment have addressed a variety of aspects of standardization and from happening.” modularization. SATCOM on the move necessitated communication Utilizing smaller antennas will also save the equipment from between antennas and modems. Before, operators simply pointed damage. the antenna at a satellite. Now the modem has to be able to command the antenna to stop pointing at one satellite and start pointing at another. Modem Mediation “Manufacturers realized they had to cooperate closely together to deliver on the promise of a truly ubiquitous global network that The system that the Navy uses includes middleware that medispans satellite footprints,” said Fuchs. “One of steps we have taken ates between the antennas and the satellite modem, and senses 6 | MIT 17.8
www.MIT-kmi.com
mobility and the growth in mobility,” said Mark Daniels, vice presiis to develop a standardized antenna-to-modem interface protocol. dent for engineering at Intelsat. “The Epic satellites support smaller IDirect was the first company to come out with an open-ended antennas at higher data rates. Antenna size has been one of the protocol that has been widely accepted in the airborne and mariconstraints in the mobile sector.” time communications environments. Prior to the development of industry standards, the only option was to use a closed proprietary system. The open protocol provides users with the flexibility to Protected Communications choose the hardware that best suits their needs.” Airborne-satellite communication, which by its While mobile platforms do better with smaller nature is on the move, provides different chalantennas from a design standpoint, satellites prefer lenges. “Air is different than ground communications to communicate with larger antennas. “From the satbecause you are moving at a high rate of speed,” said ellite perspective, it’s the bigger the better, so there Bob Varga, vice president for marketing at ViaSat has always been a tradeoff in that area,” said Daniels. Global Mobile Broadband. “If an airborne platform “Epic and other high-throughput satellites will allow has an ISR mission, it is probably flying at the side for smaller antennas. Higher-capacity satellites transof a satellite beam, and that simplifies air mobility a mit on multiple, smaller beams, allowing antennas little. On the other hand, when en route across the to be smaller and the data rates of the antennas to ocean to Europe and the Middle East, the aircraft be higher.” will be crossing satellite beams. The challenge is to The Epic satellites will also provide protected Bob Varga provide seamless transition from bean to beam on a communications by a commercial satellite provider. given satellite and from satellite to satellite. “In the past, it has been only been the military satel“There are a lot of moving parts, and that requires a great deal lite communications systems that provided protected communicaof sophistication in the software to do the transition, maintain tions,” said Daniels. “Now commercial systems will be providing the connectivity, and provide all that content to the ground,” protected communications thanks to innovation both in the modem Varga added. and in the satellite area. The Epic satellites will also have interferViaSat has leveraged developments in commercial satellite ence mitigation.” communications technology for the benefit of military customOne thing ViaSat is working on for airborne mobile SATCOM is ers. “We began using smaller, 11-centimeter satellite dishes called the configuration of networks that allow tracking on both Ku-band VR12s some years ago,” said Varga. “These dishes are both Kuand high-capacity Ka-band transmissions. band and high-capacity Ka-band enabled. Smaller dishes have “This allows the aircraft to use both bands depending on what enabled us to equip lighter and smaller aircraft with SATCOM. satellites are in view and what the particular mission demands,” said There are still gain and performance challenges with this techVarga. “This combined solution uses two rectangular apertures— nology, but we have been able to different things such as using one for Ka and one for Ku—that operate on a ‘lazy Susan’ type of spread spectrum techniques to provide more throughput and pedestal that is mounted on the aircraft so users can use both.” bandwidth efficiency.” Other developments in airborne mobile SATCOM will revolve The advent of high-powered spot beam satellite transmissions, around rotary-wing aircraft. “These are challenging,” said Fuchs, which improve transmission quality and throughput, has also “because they experience continual blockage of as the rotors come meant that an aircraft or other fast moving vehicle must transition around. There are some creative ways that are being explored to from one beam to another very quickly. approach this problem, including software that times transmis“Earlier satellite beams were very wide,” Fuchs explained. “One sions so that they go through when the rotor blade is not blocking beam could cover the entire continental United States. We have the signal.” designed modems with multiple modulators so that it can capture At CERDEC, Gallagher is targeting fiscal year 2016 for the the next satellite signal before it breaks with the old one. That way delivery of a prototype vehicle. “We will be taking one vehicle and the system can continue transmitting seamlessly across multiple one frequency band, Ku-band, in order to provide this first capaspot beams.” bility and to mature the architecture,” he said. “Establishing the Another recent innovation necessitated by the global nature of architecture is important moving forward. The Ku-band fulfills satellite communications networks addresses the requirement that the Army’s Warfighter Information Network-Tactical architecture such a network be able to maintain a consistent IP address around right now.” the globe. “This requires what we refer to as global network manIn the future, other frequency bands will be looked at. “With agement system,” said Fuchs. “This allows multiple instances of a the advent of the Wideband Global System, we will align ourselves single router around the globe.” with the frequency bands that that satellite system will provide,” Routers on traditional networks stay put, Fuchs explained. “This said Gallagher. “The distributed aperture solution will be a gamesystem accommodates an IP router that is moving around the globe changer for SATCOM on the move. Our agency partners, when they in a relatively short period of time. As the router moves from one see what we are doing, will be as interested as well and will follow location to another, the global network management system utilizes our lead.” O different tricks to re-converge routers as they appear on different parts of the planet.” Innovations in the satellites themselves will also facilitate the For more information, contact MIT Editor Harrison Donnelly at harrisond@kmimediagroup.com or search our online archives kind of on-the-move capability that CERDEC is looking for. “Intelfor related stories at www.mit-kmi.com. sat’s Epic high-performance satellite will be a major contributor to www.MIT-kmi.com
MIT 17.8 | 7
PD COMSEC cleans up multiple decades of security equipment and software on the battlefield. By Meg Carpenter
At its three-year mark, the Project Director, Communications Security (PD COMSEC) within the Program Executive Office for Command, Control and Communications-Tactical has become the Army’s central hub for communications security standardization and funding efficiencies. “When we were chartered in 2010, our mission was a set of significant goals,” said Stan Niemiec, the PD COMSEC. “Since that inception, and with a highly motivated team at every level of the Army and across a wide and engaged stakeholder community, we have turned those words into actions and continue to clean up decades of COMSEC on the battlefield and at Army installations worldwide. We are bringing reduced variants and quantities of much simplified modern equipment and acquisition discipline to the Army COMSEC arena.” 8 | MIT 17.8
Multiple efforts to modernize equipment and upgrade hardware and software capabilities for stateside and deploying forces have already resulted in more than $169 million in cost avoidance and cost savings for the Army. Recently, PD COMSEC personnel analyzed fill device authorizations across the Army and determined that the service could reduce the amount of key loaders and still meet mission requirements. Fill devices, like the Simple Key Loader (SKL), load cryptographic keys into encryption machines. SKLs receive, store, manage and export electronic cryptographic keys. The keys are loaded into communications devices such as radios and satellite terminals to secure networks. This one simplification effort regarding how the Army authorizes SKL fill devices
could result in a 43 percent reduction of fill devices needed across the Army. This is but one example of how the PD COMSEC team has sought to replace aging COMSEC hardware while meeting future COMSEC requirements. A case in point: An M1 Abrams tank receives a radio and several other communication systems. Because each communication system is managed by separate program management offices, the individual offices each assign an SKL to their system. The end result might be an M1 with four SKLs authorized to it—three of which would likely be left unutilized. “If we move to an echelon-based issuance, an M1 tank platoon of four tanks would be authorized a total of four SKLs versus the current 16,” said Eric Adair, product director for key management at www.MIT-kmi.com
PD COMSEC. “We would focus on one SKL per squad or one per platoon, and not have the issue of multiple SKLs on the same platform.” PD COMSEC was also chartered to centrally manage programs of record for the cryptographic modernization, key management and overall life cycle management of COMSEC throughout the Army. In March 2012, through the Armywide Cryptographic Network Standardization (ACNS) initiative, PD COMSEC identified 30,000 legacy End Cryptographic Units at 70 Army installations that were not able to keep up with current requirements that ensure the information is properly encrypted. The old equipment is being replaced with $283 million worth of modernized COMSEC equipment in inventory at Tobyhanna Army Depot (TYAD). The National Security Agency (NSA) mandated that this antiquated equipment be replaced, and PD COMSEC funded this effort for the entire Army. PD COMSEC is working in concert with the Army’s Network Enterprise Technology Command to quickly identify equipment to be replaced, fill orders, provide training and integrate the new equipment as non-intrusively to installations as possible for the ACNS effort. “We were installing the new equipment in Hawaii and the U.S. Army Pacific Command [USARPAC] was so pleased with what we were doing that they asked us to reprioritize the order of when other USARPAC installations would be modernized,” said Dennis Teefy, product director for cryptographic systems at PD COMSEC. “Now we’re working in Korea, Kwajalein, Alaska and Guam to satisfy USARPAC’s crypto modernization requirement.” One of PD COMSEC’s major program goals has been to help manage the Army’s convergence of several network operations tools that make it easier for soldiers to plan and manage Army communication systems. Recently, U.S. forces in Afghanistan received the latest innovation that PD COMSEC is using to reach that goal. The Joint-Tactical Networking Environment Network Operations Toolkit (J-TNT) reduces the burden on signal soldiers down range and helps the Army avoid nearly $700,000 in spending. J-TNT www.MIT-kmi.com
Soldiers with 4th Brigade Combat Team of the 10th Mountain Division undergo Joint-Tactical Networking Environment Network Operations Toolkit (J-TNT) training. [Photo courtesy of U.S. Army/ Maj. Rachael Hoagland]
Mike Barthel and Kimoanh Le of the U.S. Army Communications Electronic Research, Development and Engineering Center are part of the Army-wide Cryptographic Network Standardization team that is modernizing Army cryptographic equipment throughout the Army. They’re shown here at Fort Gordon, Ga., where they integrated the new equipment. [Photo courtesy of U.S. Army]
collapses several tactical network tools, mostly for radio management, onto one laptop so that users can monitor all radios on the battlefield and also includes seven spectrum management applications. What was being done on four or more laptops can now be accomplished using only one. “The J-TNT product benefits signal soldiers by allowing them to more rapidly plan the networks for software-defined radios to meet their commanding officer’s mission,” Niemiec said. In-the-works activity by the PEO C3T team is taking this simplification effort even further, by turning the J-TNT into a software tool that can be wedded to the Warfighter Information Network-Tactical (WIN-T) to provide for a more seamless and simplified tactical Internet. Having a single management office to procure Army cryptographic and key management materiel has yielded other cost and process efficiencies. The TYAD
Communications Security team focused on the depot’s equipmentreceiving process and reduced from 57 to 28 the number of days to receive, process and shelve equipment. For its efforts, TYAD COMSEC was awarded the Shingo Silver Medallion in 2012. Other efforts at TYAD have resulted in nearly $42 million in better buying power cost efficiencies by using new equipment in stock there to supply Army units that had initially planned to use their own funds to order more crypto devices. Being awarded a Shingo award, one of the business world’s top marks of operational excellence, did not slow PD COMSEC’s quest to improve COMSEC for soldiers. It is implementing a new key management system called the Army Key Management Infrastructure (AKMI). AKMI will be a Web-based delivery that will streamline and simplify the process soldiers are using now. It will also limit requirements for physical products and manual delivery through user-operated fill devices. The PD COMSEC team has also developed the COMSEC Virtual Training Environment, where training and sustainment skills are available 24/7 to anyone with a common access card. This virtual environment has lessened the blow of budget impacts to training, specifically for local COMSEC management software post-new equipment training and refresher training. “Our team is working diligently to help the Army more efficiently and accurately account for all of its COMSEC items,” Niemiec said. “On this three-year anniversary, we have only just begun our unending quest to protect and unburden our warriors by securing and simplifying the Army’s networks in an effective and intensely resource-efficient manner.” O Meg Carpenter is a public communications team representative for the Program Executive Office for Command, Control and Communications-Tactical.
For more information, contact MIT Editor Harrison Donnelly at harrisond@kmimediagroup.com or search our online archives for related stories at www.mit-kmi.com.
MIT 17.8 | 9
Standards are important, but cloud security assurance also depends on the relationship between cloud provider and DoD customer. Through on-demand provisioning, resource pooling and greater agility, cloud computing is widely acknowledged to have the potential to reduce costs and improve efficiency for military and government IT programs. To date, however, the Department of Defense has implemented instances of private clouds—that is, cloud resources dedicated to DoD or one of its services or agencies—but only very limited cases of commercial cloud environments. Private clouds offer a measure of the agility, efficiency and costs reduction associated with cloud computing, but not at the scale possible from migrating to public, multi-tenant clouds. Some DoD systems will probably never transition to the cloud, but on the horizon now is the possibility that more systems could migrate to private clouds, and some to public clouds as well. The essential barrier to widespread adoption has been concern over information security. Thanks to the ramping up of the Federal Risk and Authorization Management Program (FedRAMP), security standards and certification programs are being put in place that will likely provide DoD and its components a higher level of confidence that their data 10 | MIT 17.8
By Peter Buxbaum MIT Correspondent
and applications are secure in the cloud, allowing them to reap the benefits offered by cloud computing. FedRAMP represents one level of security assurance for the cloud environment. It speaks of a relationship between cloud providers and the government agencies that oversee the implementation of security measures for cloud computing and of certification providers can earn attesting to their level of federal security compliance. The other part of cloud security assurance is the relationship between the cloud provider and its DoD customer. The customer at no time relinquishes ultimate responsibility for data and application security. The relationship between the agency and the cloud provider must be spelled out in such a way that ensures that the provider is aware of its responsibilities, and there are mechanisms in place that allow the agency oversight over the cloud providers resources and activities as well as over the traffic running on its systems.
Risk-Based Approach A collaboration among the National Institute of Standards and Technology (NIST), General Services Administration, Department www.MIT-kmi.com
of Homeland Security and DoD, FedRAMP was established in 2011 to provide a risk-based approach for the adoption and use of cloud services in the federal government. As a FedRAMP concept-of-operations memorandum put it last year, “A key element to successful implementation of cloud computing is a security program that addresses the specific characteristics of cloud computing and provides the level of security commensurate with specific needs to protect government information. Effective security management must be based on risk management and not only on compliance. By adhering to a standardized set of processes, procedures and controls, agencies can identify and assess risks and develop strategies to mitigate them.” “The cloud is not so much a technology as an operating model,” said Tom Conway, director of business development at McAfee. “You are exchanging control of data and applications for efficiencies and cost effectiveness. When it comes to security, the change is that there is a level of trust involved when you are not providing the security yourself. But as the saying goes, ‘Trust but verify.’ You can’t surrender the ability to verify.” “Many organizations don’t realize that they can take advantage of a lot of security technology just by moving assets to the cloud,” said J.D. Sherry, global director of technology and solutions at Trend Micro. “In some cases they will get more secure because of the technology that has been put in place and because their assets may be on downward side of life.” “DoD is adopting cloud technology internally,” said Christopher Fountain, senior vice president at Kratos SecureInfo. “It is operated by an integrator but it is still dedicated. Private clouds can leverage some elements of cloud computing, but can’t get the agility and lower costs of ownership to the same extent as with multi-tenant commercial operators.” The security problems associated with commercial clouds is that they haven’t been built to DoD’s strict security requirements, Fountain added. “Commercial cloud operators build for mass market appeal. That is their business model,” he said. “Their offerings bring lots of capability at attractive economics. For good reasons, DoD has stringent security requirements. The challenge is to bridge the gap, so that DoD can take advantage of the agility and costs savings that the cloud offers.” FedRAMP is a governmentwide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud-based services. The program uses a “do once, use many times” framework, in the words of the CONOPS memo, that intends to saves costs, time, and the staff required to conduct repeated agency security assessments.
Assessment Process FedRAMP’s security assessment process uses a standardized set of requirements to grant security authorizations, in accordance with the Federal Information Security Management Act and guidance set out by NIST. The FedRAMP assessment process is initiated by agencies or a cloud service provider (CSP). A CSP follows the process for a provisional authorization under FedRAMP and uses a third-party assessment organization (3PAO) to assess and review their security control implementations. The 3PAO is hired by the CSP. CSPs provide documentation of test results to FedRAMP. The security package is reviewed by the Joint Authorization Board (JAB), which grants a provisional authority to operate if a CSP presents www.MIT-kmi.com
an acceptable level of risk. Federal agencies can use the security authorization packages to grant a security authorization at their own agency. Once an authorization is granted, ongoing assessment and authorization activities must be completed in order to maintain the security authorization. Kratos SecureInfo is a 3PAO that has been used by the Air Force to review the security of cloud systems. “FedRAMP was set up to streamline the process for assessing risk in getting cloud systems certified for all government agencies, including the military,” said Yong-Gon Chon, the company’s senior vice president and chief technology officer. “There are 200 control enhancements that cloud providers need show they have implemented, and that they are doing penetration tests and very thorough audits and monitoring.” Kratos SecureInfo was the 3PAO that audited CGI IaaS Cloud, a provider that received JAB provisional authorization earlier this year. CGI Cloud uses an infrastructure as a service (IaaS) service model to provide virtual machine and web hosting services in the cloud. Autonomic Resources and Amazon Web Services have also received provisional authorization in recent months. Kratos recently worked with a cloud-based education and training platform provider and the Air Force to implement compensating security controls that did not follow strict federal standards, but accomplished the same task. “The platform was built for the commercial market and the Air Force was leveraging it,” said Fountain. “It took a while to get the Air Force to see past certain things that the cloud operator could not adopt.” Some commercial cloud operators may not be able to implement certain security measures required by DoD. “In that case, it is a question of finding different ways to achieve the same end,” Fountain said, adding that these are known as compensating controls. “There may be a requirement to backup a petabyte of data in offline storage,” Chon explained. “That might not make sense for a cloud service provider. An example of a compensating control would be if the cloud provider could demonstrate that the data was online and readily available at three different data centers. DoD may have a proscriptive control that doesn’t fall in line with normal cloud use cases.” Compensating controls are sometimes necessary, according to Fountain, because some agencies still follow the Department of Defense Information Technology Security Certification and Accreditation Process (DIACAP) security model, which describes security measures for information systems generally, but not specifically for cloud computing. The FedRAMP standards, Fountain added, are not yet fully operational. The transition to FedRAMP was supposed to have been completed by now, but fiscal pressures and other difficulties have prevented it. “It could happen this year or next,” said Chon. “DIACAP and FedRAMP provide different ways of looking at security. DIACAP covers everything from battle-control systems to managing largescale enclaves. DoD got together with the intelligence community and NIST years ago to develop the FedRAMP standard. But it takes a while to turn the battleship, especially in a tight fiscal environment.” The NIST standards are the underpinning for the FedRAMP cloud standards. “DoD is trying to take two steps at once,” said Chon. “It hasn’t migrated yet to NIST, and getting to FedRAMP is even trickier. DIACAP is institutionalized in DoD, and has been construct that has been followed since 2007.” “Amazon just got certified for FedRAMP,” noted Sherry, “but it still has some multi-tenancy problems to deal with. The issue is how MIT 17.8 | 11
to create segmentations among tenants accessing the same set of resources. DoD needs a cloud ecosystem similar to the private cloud environment it manages today, but with the advantages of multitenant public clouds. The end result will likely be a hybrid of public and private cloud assets.”
Shared Responsibility Cloud security is not solely dependent upon following government guidelines and achieving government accreditation, noted Sherry. “It involves a relationship of shared responsibility between the agency and the cloud provider. “The agency and the provider must focus together on targeted attacks unique to the agency’s environment,” Sherry continued. “This requires a certain level of transparency into the provider’s assets. It is the responsibility of the customer to provide security at the application and operating system level. Tying all that together with encryption is another key element to provide added assurance.” Agencies also need to have the ability to exercise continuing oversight over the activities of cloud providers, to make sure the latter are following government requirements. “There are FedRAMP requirements that say that only U.S. citizens can access certain data sets and that those individuals must undergo background checks,” said Sherry. “Providers must provide mechanisms for customers to investigate incident responses. There must be clear rules of engagement when an incident occurs. All these must be spelled out in the contract between the customer and provider.” Incident response is a good example of where the customer and the provider must work together. “The agency will have an incident response plan,” said Sherry. “But the cloud provider must be looped into the plan. For example, the agency may want to review information logs when an incident occurs. The provider must understand that it must supply X, Y and Z when an incident occurs in an agency’s environment.” “Once agencies start moving their data off premise, adversaries will start attacking those off-premise providers,” said Conway. “But the agency is still the steward of the data, and it needs to know who is going after it. The agency needs to know who its adversaries are and what is begin done to protect against them.” There are other provisions that must be spelled out in statements of work and service level agreements, according to Conway. “One interesting issue involves access to data,” he said. “What happens if an agency wants to move its data from one private cloud provider to another? Who owns the data?” Ownership of data is not clear-cut, according to Conway, for example when an agency has maintained its data off premise for two years and there have been changes to applications made in the cloud. “Ownership of data needs to be defined in the contract so that it doesn’t end up being cost prohibitive to move form one provider to another,” he said. “During contract negotiations, the agency must make sure the third-party provider knows what it needs to do to satisfy military requirements and that it is subject to surprise inspections.” Military agencies also need to retain responsibility for some processes, though they may be located in the cloud. “The agencies need to retain responsibility for access rights and processes like single sign-on,” said Conway. “It is their inherent responsibility and they can’t abdicate it. They can’t let someone else control who has access to what data.” 12 | MIT 17.8
There also needs to be a process in place to inspect data before it is pulled from the cloud into an operational system to make sure no malware embedded. In addition, there needs to be a policy in place that delineates what data may, and may not, be put in the cloud in the first place. “For example, an agency may be comfortable putting dental X-rays up in the cloud, but if the file contains the full dental record they might want to keep it on premise,” Conway explained. “There needs to be a mechanism in place that blocks someone from inadvertently or maliciously putting data in the cloud that goes against that policy.”
Creative Partnership Public clouds are not going to work for every DoD application. “DoD is working with some commercial solutions providers where the security requirements are not that stringent,” said Fountain. “One of our customers works in the content management arena. That is something where DoD can leverage a commercial cloud solution because the data involved is not classified or highly sensitive. Other examples could be educational types of systems and platforms that host public websites. On the other hand, systems that handle theater operations, what the military refers to as Military Assurance Category 1, would not be appropriate for public cloud deployment.” In the end, the only way for the military to leverage public clouds will be through some sort of creative partnership between the cloud provider and the military branch. “You hear a lot today about BYOD, or bring your own device,” said Sherry. “We should be using the concept of BYOC, or bring your own compliance or controls. The military has to being its own regulations and processes and then wrap cloud technologies around them. That way they can be comfortable using cloud assets and comfortable with their compliance and control posture.” Under this scheme, the service providers will get core certifications and will implement them down to the operating system level. “But the agency must do the same for applications,” Sherry said. “They will need the tools and the processes to bring their own controls and their own compliance and to manage them in the cloud in the same way that they manage their infrastructure when it is within their own four walls.” “DoD is headed in the right direction,” said Fountain. “It is attempting to migrate from DIACAP and into a series of controls that is more aligned with a risk management framework. Over the next months we will see greater adoption of FedRAMP and we’ll see more clarity in the guidance that was purpose-built for commercial cloud service providers on how the branches of the military can leverage the public cloud.” “In this budget environment, leveraging the cloud can be an important step for DoD for its efficiencies and costs savings,” said Conway. “But they are taking prudent steps. They’re not jumping yet into the deep end of the pool. They are talking to cloud providers, security firms, and experts in the field to make sure they are doing it right. They can’t afford not to and then fix it later.” O
For more information, contact MIT Editor Harrison Donnelly at harrisond@kmimediagroup.com or search our online archives for related stories at www.mit-kmi.com.
www.MIT-kmi.com
Cyber-Perspectives
Accountability
in Cyberspace
The government should require that contractors establish effective cybersecurity programs, and penalize those that do not.
By Richard A. Russell
(Editor’s Note: This is one in a series of articles on cybersecurity and related topics by experts from government, industry and academia.) In the best of times, the federal government and private sector companies work in a delicate synergy to make the products and services required to assure the sustainment of government operations, bolster our military, develop advanced systems, and drive enhancements to currently deployed systems. Unlike the normal civilian sector, the end product for this team is the assurance of battlefield dominance and the protection of closely held information. Many of the contractors handle terabytes of data that is peppered with personally identifiable information, including medical data covered under Health Insurance Portability and Accountability Act provisions, as well as financial information related to civilian and military personnel. The prevalence, scope and potential damage done by cyberattacks via these contractors can be expansive. The evidence is obvious that companies have had prior indicators, warnings and even outright formal notices before or immediately after attacks—leaving little to the imagination as to what has happened. All that is left afterwards is to assess the damage, build the wall higher and find innovative ways to track down and neutralize the culprits’ ability to gain access and “exfiltrate” data. What should the government, and more specifically the Department of Defense, do in response to the growing threat and perceived lack of serious efforts to curb the intrusions through sound and reliable protections and defense technologies? The time may have come to hold the contractor companies accountable for inadequate safeguards and lack of security measures that will protect critical program information, sensitive information, and even classified information. The best way to do this would probably be to include in evaluations of contractor companies, when bidding on government contracts, a calculation that would cost them evaluation rating points for failure to assure systems and information are secure. Another potential method would be through a system of graduated penalties, including not being awarded performance bonuses and follow-on years of contracts, for negligent or inadequate security safeguards. In serious cases or with evidence of repeated disregard for the protection of their internal networks and government information, the government could consider suspension of a contractor unless and until prescribed improvements are accomplished. A major issue in trying to get a handle on the issue rests in antiquated and cumbersome federal acquisition regulations. Without clear and serious changes in policy to establish accountability, there is no incentive for companies to get the problem under control. At the same time, merely changing the rules so that contractors can charge the government for doing what any rational person would believe is their job in protecting information is another paradigm that must shift. The proposition is pretty simple: If you want to do business with the government, you must clearly demonstrate that your company has the security mechanisms, technologies and other tools necessary www.MIT-kmi.com
to secure government information, without charging the government for company security. In addition, a record of suffering cyber-attacks where information is believed to have been exfiltrated should count against a company in competing for government business. But of even greater concern for our community is the trend that causes us to continue to follow the current methods and processes for protecting networks, enterprises and information of the government. What is needed is a quantum leap to new and innovative approaches that will change the systems, environments and networks to make them capable of recognizing malware, intrusion attempts, infected software copies, and other common tools of the cyber-attacker tradecraft. With real innovation and a driver from senior leaders to find and test new solutions, rather than permutations of the same old solutions, the government could get ahead of our adversaries and create the time gap necessary to allow for even more innovation and structural shifts that could frustrate adversaries and provide our country with a competitive advantage in the future. The time has come for accountability, for demanding that contractors can clearly demonstrate their record of achievement, and for penalizing those whose cybersecurity success is less than adequate. Penalties could vary based on number of hacking or cyber-attacks that were successful, on the amount of information exfiltrated, and on such things as having a clear record of achievement and success in protecting all information within the company, not just government information, as well as the strength and resiliency of the company’s IT staff. Think of the stockholders and how they are upset when companies they depend upon fail to protect the company from loss of proprietary secrets, loss of personal information that can cost the company millions through law suits and other settlements. If the stockholders have a stake, then the government has a stake. Our economic well-being and our ability to dominate the battle space of tomorrow hinge on this effort. It is imperative for companies to protect their internal networks and systems, to sequester government information more effectively, and to redouble efforts related to insider threats. If we do not fix this, we could find ourselves overpowered economically and militarily in the future. O Richard A. Russell is a Senior National Intelligence Service Executive currently serving as deputy G-2, Army Materiel Command. The views expressed in this article are those of the author and do not reflect the official policy or position of the Department of the Army, Department of Defense or the U.S. government.
For more information, contact MIT Editor Harrison Donnelly at harrisond@kmimediagroup.com or search our online archives for related stories at www.mit-kmi.com.
MIT 17.8 | 13
DATA BYTES Air Force Takes Over Operation of Fifth Wideband Satellite The fifth Wideband Global SATCOM (WGS) satellite built by Boeing is providing the U.S. military and its international partners additional access to the fast, secure communications vital to successful missions. WGS-5, which was launched in May, has completed on-orbit testing and is now being operated by the Air Force. The second spacecraft in the WGS program’s upgraded Block II series, WGS-5 provides protected wideband communications to users anywhere in its field of view. WGS-6—launched 75 days after WGS-5—is performing as expected and scheduled to complete its handover to the Air Force later this year.
Monitoring Platform Gives Army Unparalleled Network Visibility The Army has selected the RedSeal platform and its related support services for the Joint Regional Security Stack component of Joint Information Environment networks allowing the delivery of multiple new continuous monitoring capabilities. The RedSeal platform gives the Army unparalleled proactive network visibility, diagnostics and mitigation that drives improved cyber-situational awareness. The Army currently has approximately 400 Internet points of presence, each of which represents a complex attack surface. By embarking on a strategic upgrade to its current network and security infrastructure, the Army will now be able to reduce its number of Internet interfacing points, thus reducing its overall attack surface area and enabling the RedSeal platform to deliver even greater risk assessment and management results. Gaining increased insight into its network infrastructure will enable the Army to make proactive risk-based decisions about its network security.
Army Selects 12 for Communication/ Transmission Services The Army has selected a total of 12 companies to compete to provide communications and transmission services through the Project Manager, Defense Communications and Army Transmission System (PM DCATS). Those sharing in the $4.1 billion PM DCATS program are L-3 National Security Solutions, Globecomm Systems, Harris, General Dynamics One Source, DRS Technical Services, Booz Allen Hamilton, Serco, Computer Sciences Corp., Intelligent Decisions, Lockheed Martin, AT&T Government Solutions and LGS Innovations.
Rugged Computer Replaces Aegis System Workstation The Sabtech Data Display Computer (SDDC) is a rugged generalpurpose computer designed to meet harsh environmental conditions. The SDDC has passed rigorous military and industrial test requirements for environmental conditions, design and safety, including electromagnetic interference. In addition to industrial and general military applications, the SDDC is a direct replacement for the OJ-454(V)/UYK Data Display
14 | MIT 17.8
Console and ORTSNET workstation used in the Aegis Operational Readiness Test System (ORTS). In this configuration, the SDDC runs ORTS Network Emulation Terminal software, providing status, maintenance direction, fault reporting, indication and display, and readiness assessment of the Aegis Weapon System. The SDDC can be configured with 4GB to 16GB of memory and features a large 19-inch display for optimal viewing.
www.MIT-kmi.com
Compiled by KMI Media Group staff
Ka-band Satellite Services Offer Superfast Data Transfer L-3 TRL Technology and Avanti Communications are working to provide secure Ka-band satellite services to government and military agencies that use L-3 TRL’s Catapan encryption devices for direct highspeed connectivity. Coverage includes parts of Europe, the Middle East, the Caucasus region and Africa. Ideal for high-demand government and military operations that require unlimited data transfer at superfast speeds (up to 10 Mbps), the new Ka-band offering provides secure, cost-effective network options for users with multiple transportable and/or fixed nodes. Numerous encrypted secure voice and data scenarios have been tested over the capability, under differing weather conditions, without
Army Seeks Support for Tactical Network Fielding The Army has awarded CACI International two prime contracts totaling $237 million to support the Warfighter Information Network-Tactical (WIN-T). The company will support Army and Marine Corps joint military forces deployed in-theater and at command centers worldwide with comprehensive fielding, sustainment and maintenance of satellite terminals to provide a full range of encrypted and open communications. The deployed terminals in the WIN-T network number approximately 1,000 and provide reliable communications within regional commands, as well as inter-theater communications capabilities to other countries in several continents. The terminals are crucial components for units, delivering secure beyond-line-of-sight communications and providing access to tactical and strategic networks for mission command, call for fire, medical evacuation and secure information exchange.
www.MIT-kmi.com
any degradation in service. Options include transportable variants utilizing highly portable antennas for rapid deployment and a fixedsite variant providing a cost-effective connection. Tailored uncontended packages are available, including dedicated bandwidth and occasional use packages.
Army Taps Harris for Mid-Tier Vehicular Radio After an intensive competition, the Army has awarded Harris the Mid-Tier Networking Vehicular Radio (MNVR) contract. The indefinite-delivery, indefinite-quantity contract has a potential total value of $140 million. Harris was chosen in a competitive procurement over three other bidders. The contract includes an initial order for up
to 232 MNVR radio systems for the upcoming Network Integration Evaluation 15.1 in the fall of 2014. The two-channel MNVR solution is based on Harris’ combat-proven Falcon III wideband networking technology. Harris has deployed more than 45,000 Falcon III wideband radios around the world.
Smartcard Authentication Available on Apple iOS Devices
Juniper Networks and Thursby Software have partnered to enable government agencies to use smartcard authentication on Apple iOS devices. Through integration with Juniper Networks Junos Pulse Secure Access Service and Thursby’s PKard software and card reader hardware, government employees can now use the same smartcards in use
today for all levels of authentication—both physical and online—to connect to private or carrier mobile networks through their iPhones or iPads. Juniper Networks is the first vendor to offer seamless and secure authentication for remote access to government networks from mobile devices via simple smartcards.
MIT 17.8 | 15
Connectivity Provider
Q& A
Focusing on the Lightning Bolts that Link Assets Major General Craig S. Olson PEO C3I&N Air Force Major General Craig S. Olson is the program executive officer for command, control, communications, intelligence and networks (C3I&N), Hanscom Air Force Base, Mass. In this position, he is responsible for more than 2,200 personnel and acquisition execution of a $10.9 billion portfolio developing, deploying and sustaining Air Force, joint and coalition cyberspace, networks, cryptologic and data link systems to enable decisive combat operations. Olson was commissioned in 1982 following graduation from the Air Force Academy. He has extensive operational, flight test and acquisition experience. Olson has flown operationally as a weapon systems officer and electronic warfare officer in the F-4E and F-4G, and as a flight test weapon systems officer in the F-15E. His acquisition tours include the JSTARS Joint Program Office, the Air Staff Special Programs Directorate, and the Navy-led V-22 Joint Program Office. He has commanded at the group and wing levels. Prior to his current assignment, Olson was program executive officer for business and enterprise systems and director of the Enterprise Information Systems Directorate, Maxwell AFB, Gunter Annex, Ala. He is a master navigator with more than 1,900 flying hours in more than 20 different aircraft. Olson was interviewed by MIT Editor Harrison Donnelly. Q: How would you describe your role as the Air Force PEO for C3I&N? A: I’d like to describe how the PEO C3I&N fits in the enterprise of leaders in the IT realm. Our portfolio includes more than just IT. We do things in each war fighting domain—space, air, terrestrial and cyber. I’m going to focus today on the terrestrial realm, because that’s where a lot of the AFNet IT infrastructure things are going on. But we also do tactical data links in the air domain, and how they link up with satellites in the space domain, and nuclear command and control, which links between the air and space domains. I like to focus on the “lightning bolts,” which are the connectivity of assets in each domain. If you think about horizontal and vertical integration of war fighting assets in all the domains, we at PEO C3I&N provide the lightning bolts—the connectivity between assets. Between a Rover guy on the ground, with a transmitter and receiver, and the airplane, there’s a lightning bolt. We are the providers of the lightning bolts, and it’s a key capability that if you take it away, you’ve decreased your war fighting ability. As a PEO, we’re lifecycle managers, under the restructuring that Air Force Materiel Command [AFMC] went through two years ago. We have full life cycle management, from product delivery to 16 | MIT 17.8
fielding, product support and sustainment. That’s an expanded scope for a PEO, which I’m getting used to. What I like to do is to get connected with enterprise partners as we try to deliver capability. The areas I’d like to focus on today are the Air Force chief information officer, Lieutenant General Basla, as the one who sets policy for IT, how it’s procured, how dollars are spent and how it’s delivered. I like to link up with Air Force Space Command, under General Shelton and Lieutenant General Hyten and the leadership there, and the 24th Air Force, which is the cyber-war fighting numbered Air Force. We do a lot for cyber-capabilities that leverage IT capabilities. Those are our main partners. There are also others I won’t talk about as much today, including Air Combat Command and Air Force Global Strike Command, where we do some of the data links and nuclear command and control. I want to focus today on the CIO, Air Force Space Command, chief management officer and information dominance mission capability director, which we must work with to do IT better. It’s all about transparent, trust-based relationships. If those are strong between the enterprise partners, and we’re communicating well and seamlessly, we can deliver capability better. That’s so important in the world of IT, where terms and definitions are used differently. The same word might be defined differently by several different people in IT. I’ve noticed that in recent years, because everyone knows something about IT. Not everyone knows something about www.MIT-kmi.com
an F-35 or nuclear sub, but everyone knows something about IT because we all carry it in our pocket. That leads to folks reading things and saying things and using the same terms, but maybe meaning different things. So I have to focus on transparent, trust-based communications. Q: You recently published a new mission statement; can you discuss how that fits in to the overall AF C3I&N community? A: I’ll read the mission statement: “Connecting warfighters with affordable, secure and war-winning cyber, C3I & network systems.” The “connecting” is the lightning bolt, and the warfighters are the folks with assets in air, ground and space, putting bombs on target and creating effects, and we connect them. We want to do that affordably, securely and effectively. We’re doing it in several domains, which is why cyber, C3I and networks are called out—to provide those lightning bolts horizontally and vertically across all domains. We service many other PEOs with lightning bolts—we have to work across all PEOs, and we’re very cross-cutting. We may not own the assets, but PEO Fighter Bombers, PEO Mobility might own one, or PEO Business Enterprise Systems, which owns business enterprise applications such as finance and logistics. We are providing the connectivity for all of them. The mission statement didn’t exist when I came here. I got the leadership team together and asked what was common in the portfolio of programs that we have, and what we are really trying to do for the nation. We didn’t have a statement, so we studied it and found the commonality and links, and that’s where this domain focus and the lightning bolts came from. It was all of us looking at the portfolio, and it wasn’t handed to us. So we really own the mission statement, and I want to emphasize that we think about the taxpayer, not just the warfighter. That’s especially important these days, when we have to do what we do more affordability. Q: What do you see as the key opportunities and challenges in achieving your vision of “commoditized infrastructure”? A: I’m an optimist, so I’m glad you mentioned opportunities first. Opportunities always have challenges, but I like to focus on the opportunities first. We see a huge opportunity in the commoditized infrastructure realm, because the Air Force has had a tendency to do these things in a stovepiped fashion. We build a set of servers, computers, services and a security capability for an individual application. We’ll do that in finance, logistics, command and control and ISR, so we have all these stovepiped infrastructures. Commoditization is the opposite of that. It is trying to provide a single infrastructure, in theory at least, that services all those applications. That’s the opportunity. Inherent in the history is too much cost and less than the effectiveness and security you want, because you don’t know what the standards are. People do it the way they want to do it. It may have the effectiveness, because you’re focused on a certain application, but it may not have the affordability, security or other needs that you should deliver. A commoditized approach is a chance to garner a return on investment by building once for many, rather than many for many, and taking in certain features, such as only providing the storage capacity or throughput I need. I’ll pay for whatever throughput is needed, and I’ll be agile enough to provide the throughput needed based on that pay. I’ll provide standardized security for the www.MIT-kmi.com
infrastructure that benefits everyone. I’ll allow velocity and agility, and by that we mean getting applications quickly on and off the infrastructure, and modernizing those applications. We see this as a huge return on investment, and the CIO and Space Command support it. We are the lifecycle managers for the commoditized infrastructure. We provide the infrastructure, but we don’t necessarily develop, build and deliver it. It could be that you just provide it, because you outsourced to a commercial entity such as Amazon or AT&T, which do that very well. We provide it, rather than build and deliver it, and get a savings there. What’s hard about this is that we’ve never done it before in the Air Force. We’ve done the stovepipes. That means there may have to be a culture change, and a new way of doing business. Every time you try a new way of doing business, you run into all kinds of roadblocks, and culture can be one of those roadblocks. Organizational structure can be another roadblock, and the lack of policies in place to guide this can be one as well. A lack of organic expertise within your office, on how to do commoditized infrastructure, can be a roadblock. Those are challenges, but I like the leverage on the motivation and the return on investment to overcome all those roadblocks. On policy, General Basla is laying out the policies for migrating applications to a commoditized infrastructure. He has the authority to do that, is backed up by the chief of staff, and is moving out smartly on that. We have an organizational structure within the Air Force of who owns the commoditized infrastructure and the ability to deliver it, which used to be spread between multiple PEOs. It is centralized now in this PEO, so organizationally we are more able to deliver a commoditized infrastructure. We definitely didn’t and don’t have the organic expertise, but we are growing toward that, and bringing outside expertise in. The Air Force Chief Management Office is very focused on business and IT, and doing it more effectively and efficiently. So we have a lot of support from them on going through the cultural change— bringing in expertise into the office on how to do commoditized infrastructure, set up your cost models, develop cost models and requirements, go out to a commercial providers and build schedules for these things. They are putting contracts out to help bring people into our office and build a bench of capable, organic people. My point is that all the three and four star leaders are very excited about making this work. Frankly, we don’t have a choice but to make it work, because of the budget environment. But that shouldn’t be your only motivator, because it’s the right thing to do! Leveraging off successes in the commercial world is the right thing to do for airmen and taxpayers, regardless of budget constraints. Q: What is your role in the future of the Air Force Network as technology continues to advance? A: I’d refer back to my first answer, about the importance of enterprise relationships. Space Command appropriately views themselves as the owners and operators of the network, AFNet. They have said we have an existing infrastructure that is in place, but is not adequate. We need to evolve to a better network and infrastructure. What AFNet is today, and what AFNet plus a commoditized infrastructure will be in the future, they have acknowledged that we have to improve. They look at us as life cycle managers to be the providers of that for them to operate. So we’re working hand in hand with them, and the CIO who lays the policy for all of this, to figure out MIT 17.8 | 17
the architecture for this future state that we can migrate toward. Things like a commoditized infrastructure, and how you would fund and manage that like a program. What does Global Combat Support System become, because it’s a computing environment as well, albeit a legacy one? That’s a legacy commoditized infrastructure, but it doesn’t have all the features that you would want in a fully commercially leveraged commoditized infrastructure. And it’s not funded adequately to do that either. Migrating that to the future state is what we’re all looking at together. Our role in that is to help form the policy, and the requirements that Space Command eventually gives us, to deliver commoditized infrastructure. Our role is to make sure those requirements are well stated, as is sometimes difficult in the IT world, and then do the providing of that commoditized infrastructure over time. We use words like target baselines, implementation baseline and operational baseline. The baseline is a set of government-provided standards. Before, there was no single set of standards for application and infrastructure owners to march toward. It starts with the CIO putting out a policy and a target baseline, goes to us as life cycle managers to implement that baseline, through an implementation set of configured products that adhere to the baseline, and a set of published standards. Then it goes to Space Command to operate that baseline once it’s fielded. It’s all around a set of government-provided standards that I, PEO BES and industry all have to adhere to. We’re equal partners with industry in getting to the network of the future. They are very good at operating and owning networks, such as AT&T’s huge network. There are also companies that are very good at infrastructure, such as Amazon, HP and Akamai. They all know how to put infrastructures on networks and to monitor networks for health with very few people so that it’s cost effective—and we don’t. So the Air Force is working hard to learn from that. I’ve made several different visits to the operating centers for AT&T or Akamai to see how they do it. The 24th Air Force goes to those places as well, so that we can bring that expertise into the Air Force. That’s our goal, as well as in some cases to totally outsource it to industry. We consider them an equal partner. The last thing I’ll mention is governance. How has governance been in the past, what is like now, and what does it need to be in the future to pull any of this off? It needs to be a strong, centralized governance. The good news there is that the chief of staff chartered the CIO-led governance board, called the Information Technology Governance Executive Board, about a year and a half ago. I’ve been fortunate to be a part of that and watch General Basla take a huge leadership role there, like a chairman of the board. It has the right enterprise partners sitting on it, and they are growing in their authority and putting out products that will guide the migration to the future state. Q: What do you see as the most pressing C3I&N challenges facing the Air Force? A: I’ve already talked about terrestrial information technology, but what I haven’t mentioned is the other domains—air, space, and nuclear command and control. In those domains, the CIO and I also see opportunities to do things differently. The question is how we apply all the principles we’ve just talked about for networks and commoditized infrastructure in the air domain, where I’m building data links, and in the space domain, where I’ve got satellites 18 | MIT 17.8
moving information. How do I provide it in the nuclear command and control architecture? Am I doing it in a stovepiped fashion, or providing services for people that are effective, adhere to government standards, and are affordable and secure? We’re not doing that as well in the air and space domains, and we’re not talking about it as much. But the conversation is beginning. You’re hearing a term like the Joint Aerial Layer Network a lot in ACC, and we’re looking at the future air domain differently than in the past. That’s a chance to jump in and apply the same principles with our ACC partner. The same is true with our Global Strike Command partner in the NC3 realm. I’m excited, because those are additional opportunities, which will come with the same challenges and roadblocks that you find in the terrestrial domain. In our mission statement, we say that we look at each domain, but we look at them similarly in terms of how we’re trying to do business. Q: How do you see the role of the current budget and fiscal environment impacting your ability to execute the C3I&N mission? A: I’ve never seen things quite like this in my 31 years of service. We see services and support being stopped, and buildings that aren’t getting fixed, from base infrastructure to programs that are stopping. There are flying squadrons that aren’t flying and ships that aren’t sailing. I’ve never seen anything like it. But I’m an optimist. I look at this as the motivator we need to drive change. To get through these organizational and cultural problems, how we’re going to move dollars around and how to force people to go to a commoditized infrastructure and let go of ownership of their infrastructure—how are we going to do that? We’re forced to do it, because we have to have the savings. The only way to keep applications that are out there running, let alone put on new applications, is to find some savings. All the things we’ve been talking about have a return-on-investment business case behind them that some folks have put together for us. But the only way to realize that return on investment is with strict governance, trust-based relationships, partnering with others, stating your requirements differently, organizing yourself differently, and leveraging off of industry. That’s how we’re going to get through this budget crisis. It’s a necessary motivator, because we have no choice but to do things differently. In some ways, I’m glad that we have a budget crisis, because it will help drive us through the culture change we need to do business differently. Without the budget crisis, people might miss the opportunity to do the right thing. One area that I haven’t talked about enough is cyber-weapons systems in the cyber-domain. Some call that IT, while others call it cyber, or say that cyber and IT are the same thing. But I’m going to distinguish the two. I’m looking at our 24th Air Force partner, which operates in that domain with offensive and defensive capabilities. They are trying to create effects and to protect the network. They’re doing both offense and defense, as well as situational awareness. They’re constantly surveilling what’s going on in the network, which is a war fighting domain. I think of it that way and they think of it that way, so we’re now baselining weapons systems in that domain. Specifically, there are six weapon systems that have been stood up, and we will become the life cycle managers for those, so that the 24th Air Force can operate them. You can’t put your hands around it or fly in it, but it’s a weapons system, whether a laptop or www.MIT-kmi.com
a set of software that creates effects. It needs to be developed, tested, delivered and sustained. The whole concept of standing up a new domain with weapon systems in it is new, like the air domain was 80 years ago. Just like that, you have to convince the world that the cyber-domain is a real domain, where we’re fighting every day, and our enemies are pretty good. So we need to get better, take it seriously, and organize and fund it appropriately. We’re still in the early stages of that, and aren’t mature yet. That’s an area where I get concerned about the budget. That might need some upfront investment, but this is not a good time to ask for upfront investment. I don’t have a good answer yet for where that money is going to come from, but the 24th Air Force, Space Command and AFMC are going to have to work together to identify necessary resources. Q: Is there anything you would like to add? A: I’d like to talk a bit about the Life Cycle Management Center, AFMC and the restructuring of all that. We’re almost a year into that process, having declared initial operational capability in October 2012. I like to portray that as a very good thing. I liked where it was going before, as it was being built and designed, but now that it’s in place for a year, I like it even more. What I like specifically is that it brings all the PEOs underneath two bosses—our acquisition boss, Dr. LaPlante, and our organize-train-and-equip boss, Lieutenant General Moore. All 10 PEOs/directorates report to him, so we get
the organize-train-and-equip functions from a single source. That’s great, because all are treated equal. Even more importantly, it has allowed all the PEOs to dialogue together more frequently and in a more natural fashion. There were three distinct product centers, which artificially create walls just by organization. You don’t naturally talk to each other as much, because you’re living within your individual product center. That was Eglin, Hanscom and WrightPatterson in the past. Now there is one product center, a life cycle management center, and we’re all in the same one. So the wall is around all of us, and there are no walls between us. Every meeting you go to, whether a staff meeting or an acquisition execution meeting, all the PEOs are there. I think that was needed 20 years ago, because we can’t do any of our programs in a vacuum—especially today in this IT world, where everyone is connected. You can’t do your business without talking to the folks who do other acquisition things. In my case, it’s obvious that all the platform owners are in another PEO, just as combat support and nuclear programs are in their own PEOs. We’re the lightning bolt people, so naturally we have to talk to everyone anyway. But all the PEOs need to be doing that, and the restructuring has enabled that. General Moore has done a phenomenal job in getting everyone focused on a unified purpose, a set of six common objectives, and setting up the process for change and getting all the PEOs and functionals to work together in solidifying the Life Cycle Management Center and making it a fully operationally capable organization. He has done a tremendous job of that. O
EXPERIENCE YOU CAN COUNT ON » Stability » Consistency » Integrity With more than a decade as editor of Military Information Technology, Harrison Donnelly has the background, relationships and understanding to lead MIT, widely considered the “Voice of Military Communications and Computing” and the most effective and trusted way to reach military IT professionals. His continuity of service guarantees the highest quality of editorial coverage, and makes advertisements in MIT all the more valuable. In a time of turmoil and change in both the defense and publishing worlds, “Hank” is someone who people across the community turn to when they want to deliver a message that makes a difference.
has been published to serve the military, Congress, and the executive branch for 17 years by the same KMI Media Group management.
www.MIT-kmi.com
MIT 17.8 | 19
Objective To assist Air Force personnel in acquiring IT and netcentric products, services, and solutions in accordance with current Air Force mandatory use procedures, policies and guidance.
Overview The Air Force uses service-wide indefinite delivery/indefinite quantity (ID/IQ) contracts and blanket purchase agreements (BPAs) to buy most IT and netcentric products, services and solutions. Using these established contracts and agreements saves Air Force units significant time, effort and money. The terms of these buying vehicles and the use of their individual ordering guide help units ensure they are complying with DoD and Air Force IT and netcentric policies. This Air Force guide will help you determine which of the different ID/IQs and/or BPAs you should use to meet your organization’s needs while ensuring compliance with applicable mandatory use procedures.
20 | MIT 17.8
www.MIT-kmi.com
Two Steps to the Right Contract Vehicle 1. Determine the requirement (products, services or solutions). 2. Identify the appropriate contract vehicle (ESI, ITCC, NETCENTS, etc.). Step One: Determine the Requirement • Determine if the requirement is for hardware, software or services/solutions. • Determine if this is a one-time requirement or if there is a continuing need. Hardware • Define hardware specifications with regard to the functions to be performed and essential physical characteristics. • Include your hardware requirements in your solutions requirements/acquisition if you are buying hardware as part of a larger solution. Software • Define function and performance requirements. • Determine if the software is a commercial off-the-shelf (COTS) product or if an application development effort needs to take place. Services/Solutions • Define performance objectives and measurable performance standards. Step Two: Choose the Right Vehicle Use your local or supporting contracting organization to place an order against one of the following contract vehicles. You must use AFWay (https://www.afway.af.mil/) to procure hardware and services.
Hardware General Purpose Office Automation and Highperformance Computing The Air Force Information Technology Commodity Council (ITCC) portfolio provides a wide range of desktops, laptops (lightweight and desktop replacement), mobile workstations, mid-tier workstations, high-performance computing devices and displays from the four GSA schedule-based precompeted client computing and server (CCS) and BPAs at extremely discounted prices. All systems are pre-configured and delivered with the latest version of the Air Force standard desktop configuration and the approved BIOS settings. This reduces your total cost of ownership while providing fully compliant plug-and-play devices. Air Force Instruction 33-112, paragraph 14, provides guidance regarding mandatory use of ITCC portfolio products via https://www.afway.af.mil/. The CCS BPAs are open to DoD and those contractors under contract to fulfill government requirements. Users soliciting quotes for ITCC-type products as part of a larger
www.MIT-kmi.com
acquisition should consider CCS as the source for ITCC portfolio products. Network and Multi-function Devices The Air Force ITCC portfolio includes the digital printing and imaging (DPI) suite of four BPAs. The DPI BPAs provide compliant network printers and multi-function devices to support the majority of Air Force black and white and color printing requirements at significant reductions in your total cost of ownership. All devices are compliant with iTRM and contain the approved security settings upon delivery. Air Force Instruction 33-112, paragraph 14, provides guidance regarding mandatory use of DPI. DPI products are available for immediate purchase at https://www.afway.af.mil/.
Cellular Services and Devices For cellular services and/or devices (i.e. tablets), use the Air Force/Army cellular services and devices initiative. This includes CONUS services and may include OCONUS roaming. OCONUS services are not included. Orders may be placed directly through the four major cellular airtime providers (AT&T Mobility, Sprint, T-Mobile and Verizon Wireless). https://www.my.af.mil/gcss-af/USAF/ep/globalTab.do? channelPageId=s6925EC1335690FB5E044080020E3 29A9
All Other IT and Netcentric Hardware If your requirement could not be fulfilled by the above mandatory sources, then you will purchase from the NETCENTS contract via AFWay (once the NETCENTS-2 netcentric products contract is awarded, it will be used instead). For network equipment, servers, storage, peripherals, multimedia, software, biometric identity management hardware and software, and desktop COTS software not included on other enterprise licenses, the netcentric products ID/IQ would be the acquisition vehicle to use. For more information see the netcentric products user’s guide. http://www.netcents.af.mil/contracts/netcents-2/products/ documents/index.asp
Software Enterprise Licenses If you are purchasing IT software, you must use the following enterprise vehicles, if applicable: • DoD Enterprise Software Initiative (ESI): www.esi.mil/ • GSA Smart BUY Initiative: www.esi.mil/ or www.gsa. gov/smartbuy.
All Other IT and Netcentric Software If you need IT and netcentric software that is not offered by the above initiatives, then use the the NETCENTS contract via AFWay (once the NETCENTS-2 Netcentric Products
MIT 17.8 | 21
contract is awarded, it will be used instead). For more information see the Netcentric products user’s guide. www.netcents.af.mil/contracts/netcents-2/products/ documents/index.asp
Services/Solutions Long-haul Communications
Note: New Software Agreements and Renewals—to the maximum extent practicable, agencies shall refrain from entering into any new or renewal software licensing agreements without consulting an ESI software product manager or SmartBUY agreements. http://www.esi.mil/LandingZone.aspx?id=188&zid=3
FTS2001 provides a consolidated telecommunications capability to support federal agencies with voice and data services (including local, long-distance and international services) that can endure if the public switched network is congested or otherwise incapacitated. In 2008 CIO mandated that the GSA Networx contract be used to satisfy all requirements currently being met via the FTS2001. www.gsa.gov/portal/content/104870 (FTS2001 Transition to Net-worx) Network Operations and Infrastructure If you are trying to acquire services and/or solutions covering existing legacy infrastructure, networks, systems and operations as well as emerging technologies, then use the existing NETCENTS contract (once the NETCENTS-2 Netops and Infrastructure contracts are awarded, they will be used instead). Some example capabilities that this ID/IQ can provide include network-centric information technology; networking and security; voice, video and data communication; cloud computing; managed service; system solutions; and services to satisfy the requirements of a variety of customers—that is, combat support, command and control, and intelligence reconnaissance and surveillance, Air Force, DoD and other federal agencies worldwide. The proposed solutions shall be in compliance with existing DoD, Air Force and intelligence community standardization and interoperability policies. Technology refreshment and system evolution within this contract will track proven, accepted, and available leading-edge technology within industry. For more information see the network operations and infrastructure solutions user’s guide. www.netcents.af.mil/contracts/netcents-2/netops/ index.asp Application Services If you are looking to acquire services and/or solutions related to application development and sustainment,
22 | MIT 17.8
legacy application migration or integration into a standard infrastructure or service-oriented architecture, such as GCSS or DECC, or any new software development to enhance areas of presentation, security, web services, mobile applications or application performance, this is the ID/IQ contract for you. Any test environments, help desk support, or training that are required to support these efforts are included in the scope of this contract. Data and information management and services also fall within the scope of this contract. For more information see the application services user’s guide. www.netcents.af.mil/contracts/netcents-2/appsrvs/ documents/index.asp
Enterprise Integration and Service Management (EISM) If you are trying to acquire Enterprise Level Advisory and Assistance Services (A&AS), including engineering, integration, and services management for Air Force customers only, then the EISM ID/IQ is the acquisition vehicle. This is not program level A&AS support. For more information see the EISM user’s guide. www.netcents.af.mil/contracts/netcents-2/eism/ documents/index.asp
Mandatory Use Policy Use of the contracting vehicles referenced is mandated by the following policies: • ITCC- Mandatory Use Policy https://afpims.dma.mil/shared/media/document/AFD -111006-111.pdf • ESI- Mandatory Use Policy www.esi.mil/ • NETCENTS-2- Mandatory Use Policy www.netcents.af.mil/shared/media/document/AFD -111007-083.pdf Air Force Instruction 33-112
POC Information If you still have questions, please contact the customer support team at commercial (334) 416-5070, DSN 596.5070, or e-mail netcents@gunter.af.mil. For more detailed information, please go to the following web site for these strategic sourcing initiatives: https://www.fbo.gov/
For more information, contact MIT Editor Harrison Donnelly at harrisond@kmimediagroup.com or search our online archives for related stories at www.mit-kmi.com.
www.MIT-kmi.com
The military needs an approach that starts with deep analytics and drives toward a sustainable IT application blueprint. By Christian Hagen and Jeff Sorenson The U.S. military is increasingly turning to software to further power its next-generation capabilities. Software already drives many of the military’s support systems, such as HR, logistics and enterprise resource planning, not to mention such advanced weapons systems as drones, laser-guided munitions and autonomous vehicles. As each new system is deployed, the military moves more firmly into the software business and increases software’s role as a strategic weapon. Unfortunately, each system also adds to the number of applications the military must effectively maintain and continually upgrade—a task that grows more difficult and more costly as technology and individual systems become more complex.
www.MIT-kmi.com
MIT 17.8 | 23
With today’s tighter budgets, the military is looking for ways to reduce the complexity of its support and weapons systems so that it can provide future capabilities in the most efficient and cost-effective manner. It does so with the realization that it is time to take stock of its software, to determine how to deliver new software on schedule and on budget, and to develop a more thoughtful management of both its current applications and its go-forward software portfolio for the next five to 15 years. But this is a big task—one that most military leaders and CIOs have only just started to consider and do not yet know how to attack. Some military CIOs are only now realizing the extent to which their software’s complexity is growing and, in turn, how this complexity is increasing their costs and intensifying sustainment and maintenance issues. A few CIOs have looked more deeply at the problem and consider it almost too big to handle, especially since they do not have key data available. Others are hampered by the fact that software rationalization requires a large up-front investment and a top-down, top-driven, top-supported effort, but they have yet to get leadership buy-in. Leaders in the commercial sector, which in many cases is much further along than the military in understanding the issues and costs associated with software complexity, have identified this factor as the largest barrier to improving process support and integration and to realizing an innovative IT function. Furthermore, they believe rationalizing applications is the best way to reduce IT costs and complexity. With this knowledge, these leaders have implemented a disciplined approach to rationally determining which of their software applications are necessary, which should be enhanced, and which should be eliminated. This approach is a step-by-step analytical road map for building an IT application blueprint that aligns the software application portfolio to current and future operational requirements. The commercial sector’s direction and experience offers the military and other U.S. government agencies and departments clear, unquestionable evidence that the best way to manage the software challenge is to take this disciplined approach to software rationalization. The results are reduced software complexity, significant cost savings, and advanced operational capabilities for meeting the military’s future support-system and weapons-system requirements. Without a disciplined approach to software rationalization and effective project governance, the military will continue to face cost overruns and uncontrollable system complexity. A July 2013 Government Accountability Office report showed how these issues can get out of hand in such programs as the Defense Integrated Military Human Resources System, Expeditionary Combat Support System and Global Combat Support System-Army. For the military, building an IT application blueprint is an untapped area for reducing the software complexity of the military branches and programs such as those highlighted in the recent GAO report. Some military CIOs are considering this approach, with at least one starting to put it into effect this summer. To date, however, most have yet to get on board and so are, in effect, leaving money on the table while their commercial counterparts save billions of dollars. For example, since establishing its IT blueprint, one major automotive manufacturer has cut nearly onethird of its nearly 500 applications—pointing to the huge cost savings available for the military. No one knows for sure how many software applications the military has, but one CIO has stated that his operation alone runs 24 | MIT 17.8
approximately 17,000. Better management and reduction in the number of applications could produce billions in annual benefits.
Military Cost Benefits A.T. Kearney’s step approach to building an IT application blueprint has been used with several commercial companies. The model that follows has been tweaked specifically to fit the requirements of the military. With its hypothesis-based, big-picture view, this approach gives a military organization a balanced picture of the cost benefits that accrue from managing its IT applications portfolio. • Confirm the organizational and IT objectives. In the first step, the military organization will answer a few basic questions, such as those about its most important capabilities and constraints, to ensure it emphasizes organizational objectives and priorities early in the process and establishes stakeholder consensus and support for the effort. The organization also will review key priorities and objectives linked to the current application portfolio and projects for each function. • Evaluate organizational requirements and the current application portfolio. Here, the military organization will collect information across all key segments of the portfolio and develop a comprehensive set of requirements for the application blueprint. It will evaluate each application using a value-assessment matrix to identify the technical and functional condition of each application, rate each for its organizational value, and suggest potential actions. Also, it will group the applications into the following categories according to their intended value and goals: • Improve operational excellence. These are mature applications and data-center technologies—assets that make information systems more effective and cost efficient. They include, for example, applications that monitor software and networks, enable data integration, or run commodity administrative organizational functions. • Increase core value. These applications typically include ERP systems and workflow engines that enable and improve end-to-end organizational processes across functions. They improve core processes by raising value chains and operations to world-class levels. They not only reduce costs but improve returns or growth as well. • Enhance innovation. These applications strive for breakthrough innovations to improve competitiveness and create strategies that transform military capabilities, reposition the organization in key functional areas, or allow new collaboration models. They can be leading-edge technologies as well as mature applications and technologies that transform traditional paradigms or organizational models. To avoid the risk of overemphasizing technology and losing flexibility, responsiveness and organizational value, the organization will conduct a detailed total cost of ownership analysis of its existing IT assets and applications, with the goal of better understanding the cost components and how they will change during the transformation. • Build and validate a future-state application blueprint. To begin building the application blueprint, the organization will start www.MIT-kmi.com
by first segmenting organizational functions and identifying applications that help each function meet its strategies and objectives. With this segmentation, the organization will be able to define which new IT assets, new applications, and modifications are needed to meet business needs. Then, it will identify applications that can be eliminated because they deliver minimal value or are redundant with other applications. This analysis gives the organization a clear view of how its IT systems are connected to their requirements and how they can work together to achieve desired organizational results. Once this end-state vision is in place and confirmed by IT, as well as by the large systems group and other stakeholders that must collaborate to make this software rationalization project a success, the organization will have cleared the path for creating executable projects. • Develop a migration roadmap. In this step, the organization will want to develop a migration roadmap that outlines how to implement the application blueprint and eliminate unnecessary complexity. This roadmap provides a multi-year plan to address each application in the existing portfolio while building for the future. And it identifies projects for the next five to 10 years, including required annual investments and metrics. In this step, the organization identifies the targets and projects needed to realize the organizational capabilities and align them with the blueprint. This roadmap is crucial. With it, the organization can forecast resource needs and develop a coherent strategy to move forward and secure needed funding. Without it, the organization’s efforts would most likely produce few tangible results. • Define the application investment strategy. The military must regularly decide between competing priorities—for example, between different systems for managing its logistics capabilities. In this step, the organization will address this problem, using an approach that defines an application investment strategy based on organizational, technical, operational and financial parameters so that intelligent trade-offs can be made. A key result of this step is a comprehensive TCO analysis of the application blueprint. The organization will develop an investment strategy based on a comparison of organizational benefits and IT application portfolio costs. Additionally, it will pinpoint the needed investments and cumulative benefits of each application segment. • Design the IT organization and application governance. This important final step provides visibility and ongoing guidance for maintaining the blueprint. Here, the organization will define the roles and leaders for the various IT systems and develop program management functions for executing the road map and updating the investment strategy based on evolving needs. The military could choose any number of ways to reduce its software complexity—making only minor changes or starting from scratch with a whole new architecture, for example. But the method that holds the best promise—because it has proven most successful in comparable commercial challenges—is an approach that starts with deep analytics and drives toward a sustainable IT application blueprint. A well-designed blueprint reduces software complexity and costs while delivering exceptional capabilities and value to the organization—and provides a starting point for effective www.MIT-kmi.com
governance going forward. Now is the time for the military to embrace this software rationalization approach. While it sits on the sidelines, its software complexity and costs continue to rise and become even more unmanageable. O
Christian Hagen
Lt. Gen. Jeffrey Sorenson (Ret.)
christian.hagen@atkearney.com
jeff.sorenson@atkearney.com
Christian Hagen is a partner in A.T. Kearney’s Strategic Information Technology Practice, based in Chicago. Lieutenant General Jeffrey Sorenson (Ret.), who previously served as Army chief information officer/G-6, is a partner in A.T. Kearney’s Public Sector and Aerospace Defense Practice based in Washington, D.C.
February 4-6, 2014
CYBERSPACE 2014 A training and technology forum for government, industry, and academia
Managing Cyber Chaos The
BROADMOOR
Hotel, Colorado Springs, CO
CYBERSPACE 2014 Symposium is the venue where we are once again privileged to host some of America’s most brilliant strategic thinkers and policy makers. You will see 100 exhibits and hear distinguished speakers from both government and industry. Thought-provoking panel discussions will be chaired by some of the most elite minds in today’s cyberspace community. This will be our sixteenth symposium year and our dedicated volunteer staff is working hard to ensure you will enjoy our entire 2014 program. Please join us for this important interaction between industry and government to explore this new domain. For complete information about Exhibiting, Sponsorships, Online Registration, and more, please visit our website.
www.afceacyberspace.com
MIT 17.8 | 25
COTSacopia Switch Delivers Enterprise Features in Compact Form
Brocade expanded its campus networking portfolio with the Brocade ICX 6450-C Switch, which delivers enterprise-class features in a compact form, and supports the simplification and automation provided by the Brocade HyperEdge Architecture. Executing on the company’s strategy to deliver innovation for specific customer segments, the Brocade ICX 6450-C is designed for the unique and stringent requirements of federal agencies and public sector organizations. The Brocade ICX 6450-C further expands the company’s comprehensive
Headset Encryptor Secures Land Mobile Radio Communications
Technical Communications Corp. (TCC) has released the HSE 6000 radio headset and telephone encryptor to secure the Land Mobile Radio voice communications of public safety special operations, and telephone-to-radio conferencing between commanders and field forces, enabled by TCC’s innovative X-NCrypt Cross Network Cryptography. X-NCrypt Cross Network Cryptography is the revolutionary evolution in the application of TCC’s military DSP 9000 voice encryption technology. It enables end-to-end secure voice communications across and between radio and telephone networks, including conferencing, using TCC’s DSP 9000 and HSE 6000 interoperable secure radio and telephone encryption family to connect fixed-sites (land, sea and air), ground troops, public safety special operations, and commanders and government officials. Supporting universal encryption, the DSP 9000 and HSE 6000 are cost-effective and flexible, operating with most http://www.tccsecure.com/news/product/images/print/HSE6010-300dpi.jpg[10/11/2013 2:24:10 PM] radio makes and models, and all frequency bands, and seamlessly overlaying on existing voice networks.
26 | MIT 17.8
core-to-edge switch portfolio, a key factor in the recent announcement with Aruba of plans to deliver secure integrated wired and wireless mobility solutions for enterprise and public sector customers based on open standards and software-defined networking principles. This integrated solution enables federal agencies to deploy a secure, modern, enterprise network that is simple to maintain and responsive to the evolving needs of warfighter and civilian missions through operational efficiency and optimal total cost of ownership.
Active Defense Automatically Removes Cyber-threats Hexis Cyber Solutions, a subsidiary of KEYW Corp., has unveiled HawkEye G, the industry’s first truly active defense solution to detect stealthy advanced cyber-threats and take automatic action to remove the threats from the network. By delivering fast detection of advanced attacks—from botnets and malware to advanced persistent threats—and then applying automated countermeasures to remove these cyber-threats, HawkEye G protects today’s networks at digital speeds. Drawing on experience from supporting the U.S. government as well as state of the art big data capabilities, Hexis designed HawkEye G to directly combat the tools, techniques and procedures of the most advanced attackers. This breakthrough technology takes the guesswork out of active defense by detecting, diagnosing and removing cyber-threats within the network before they can compromise intellectual property or disrupt the business.
Malware Tool Increases Real-Time Prevention of Attacks The flagship network security solution from General Dynamics Fidelis Cybersecurity Solutions, Fidelis XPS, now includes a new application of YARA technology, a rule-based malware identification and classification tool, that will increase the real-time prevention of malware attacks by analyzing threats in network traffic. Arming customers with another innovative method to detect malicious traffic as it flows on the network, the continued enhancements to Fidelis XPS help customers reduce remediation costs by blocking malware before it enters the enterprise. Fidelis XPS leverages YARA’s capabilities of classifying detected malware and scanning static objects in a file system after they have already entered the network, to extend and support its prevention efforts to scan network sessions in progress. With organizations placing an increased focus on blocking as much malware as possible before it enters the network, this collaboration makes advanced threat defense an active component of network defense. www.MIT-kmi.com
The advertisers index is provided as a service to our readers. KMI cannot be held responsible for discrepancies due to last-minute changes or alterations.
MIT RESOURCE CENTER Calendar
Advertisers Index Capitol College. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . www.capitol-college.edu/mit Cyberspace 2014 Symposium. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . www.afceacyberspace.com EADS Astrium . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . www.astriumservices.com NCI Inc. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . www.nciinc.com Sabtech Industries Inc. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . www.sabtech.com
Want to REACH the decision-makers in the DEFENSE COMMUNITY
?
27 25 C4 C3 27
February 4-6, 2014 Cyberspace Symposium Colorado Springs, Colo. www.rockymtn-afcea.org February 11-13, 2014 AFCEA West San Diego, Calif. www.afcea.org February 19-21, 2014 AUSA Winter Symposium and Exhibition Huntsville, Ala. http://ausameetings.org/winter
March 10-13, 2014 Satellite 2014 Washington, D.C. www.satellite2014.com April 7-9, 2014 Sea Air Space National Harbor, Md. www.seaairspace.org May 13-15, 2014 FOSE Washington, D.C. www.fose.com
A LEADER IN CYBERSECURITY EDUCATION SINCE 2001
With a unique concentration on senior military officers and DoD leadership, KMI Media Group focuses on distinct and essential communities within the defense market. This provides the most powerful and precise way to reach the exact audience that procures and deploys your systems, services and equipment.
KMI Media Group offers by far the largest and most targeted distribution within critical market segments. Sharp editorial focus, pinpoint accuracy and depth of circulation make KMI Media Group publications the most cost-effective way to ensure your advertising message has true impact.
KMI’S FAMILY OF PUBLICATIONS BORDER SECURITY & EMERGENCY PREPAREDNESS GEOSPATIAL INTELLIGENCE FORUM
Capitol College offers affordable, live, online master’s and doctorate programs in information assurance.
www.capitol-college.edu/mit
Border Threat Prevention and CBRNE Response
SPECIAL SECTION:
Integrated Fixed Towers
Border Protector
www.BCD-kmi.com
June 2012 Volume 1, Issue 1
Michael J. Fisher Chief U.S. Border Patrol U.S. Customs and Border Protection
Leadership Insight: Robert S. Bray Assistant Administrator for Law Enforcement Director of the Federal Air Marshal Service Transportation Security Administration
Hazmat Disaster Response Wide Area Aerial Surveillance O Program Tactical Communications O P-3
GROUND COMBAT TECHNOLOGY MILITARY ADVANCED EDUCATION MILITARY LOGISTICS FORUM MILITARY INFORMATION TECHNOLOGY MILITARY MEDICAL & VETERANS AFFAIRS FORUM MILITARY TRAINING TECHNOLOGY NAVY AIR/SEA PEO FORUM SPECIAL OPERATIONS TECHNOLOGY TACTICAL ISR TECHNOLOGY U.S. COAST GUARD FORUM
To learn more, call KMI Media Group at 301.670.5700
www.MIT-kmi.com
MIT 17.8 | 27
INDUSTRY INTERVIEW
Military Information Technology
Brian R. Fogg Vice President, Technology Support Office Chief Technology Officer NCI Inc. Brian R. Fogg, vice president of NCI’s Technology Support Office and chief technology officer, serves as a principal executive-level change agent to infuse new technologies into NCI’s client base and across its technical staff. He is responsible for providing technically oriented subject-matter experts and leading research/prototyping efforts to increase NCI’s understanding of customers’ technical requirements and to fashion state-ofthe-art, cost-effective solutions to meet those requirements. Q: What sets NCI apart from other federal IT contractors? A: NCI remains focused on supporting our customers’ missions—by leveraging emerging technologies to drive new operational efficiencies and improved mission effectiveness, by crafting innovation solutions that consider “cloud first” implementation strategies, and by being a steadfast partner for our customers and teammates. We also enjoy the benefits of being a mid-sized company: We are large enough to tackle very challenging requirements and small enough to care about more than the profit. NCI employees are very passionate about our customers’ missions, starting from our C-level executives and continuing down to our most junior technologists. We also continue to invest in a strong centralized technology support group staffed by technologists who are leaders in their respective support areas to provide solution architecture services wherever and whenever needed. This means that for any opportunity and/or any customer, we bring the company’s best ideas, which are not constrained by organizational or customer boundaries. Our mantra is “the best idea wins.”
developing and implementing leadingedge solutions for advanced analytics, green technology and mobile enablement. For advanced analytics, we have a model health care fraud, waste and abuse detection service for the federal government. Our innovative solution leverages commercially available toolsets that align with our customers’ approved product lists and overarching enterprise architectures. Inside the tools, we embed advanced detection and pattern-matching algorithms to ensure that our analysts are directed to the most interesting anomalies first. For green, we are modernizing data centers and building/campus networking infrastructures. Finally, for mobile, we are creating applications for secure smartphones and tablets. Common to all three, we apply our “70/20/10 rule” for supportability and maintainability. Q: Can you elaborate on your 70/20/10 rule?
Q: What are some of the hot-topic solutions you are working on?
A: In IT, we are in an unprecedented time. We have a lot of choices: There are many products and/or technologies that are generally “good enough.” Our productselection methodology follows a deceptively simple rule: 70 percent of the solution must be out of the box, 20 percent of the solution needs to be configured, and 10 percent needs to be customized or developed from scratch. By following this rule, we deliver solutions that leverage the best of COTS/ GOTS in terms of support and maintenance and minimize the friction between development and operations.
A: There are three very timely solution sets I’d like discuss. NCI is currently designing,
Q: Can you share a specific example of one of your hot-topic customer stories?
28 | MIT 17.8
A: We are completing an infrastructure modernization project at the Army NETCOM headquarters building at Fort Huachuca, Ariz., and expect that it will play an important role in determining the Army’s future use of GPON technology. GPON infrastructure is centrally managed, requiring fewer man-hours to maintain than traditional active/distributed devices, and provides the ability to secure and monitor services from a centralized location. The equipment footprint is substantially smaller than a switch-based inventory, resulting in efficiencies in space, energy utilization, and staff to support the infrastructure. Passive optical network devices also have an expected lifecycle of eight to 10 years or longer, compared with approximately five years for traditional copper management devices. We are very excited about the very real energy savings and the applicability of these types of green solutions to agencies across the federal government. Q: How can customers work with NCI? A: NCI has a proud heritage of winning large-scale GWAC/MAC and ID/IQ vehicles. In fact, we have an enviable portfolio of contracts that include ITES2S, TEIS III, NETCENTS, Alliant, CIOSP3, and most recently DHS Eagle II. We also have a dedicated ID/IQ Management Office that can advise customers on the best possible vehicle based on their specific requirements. Q: What do you want readers to remember about NCI? A: NCI is a very agile company that cares— we care about our employees, we care about our teaming partners, we care about our customers’ missions, and we care about being responsible stewards of our customers’ time and resources. We take pride in providing cost-effective solutions that give more for less. O bfogg@nciinc.com www.MIT-kmi.com
Nowhere too remote
10239tl © Astrium Oct 2013
Our customers benefit from decades of experience in delivering assured critical communications in some of the harshest environments worldwide
Astrium Services is a world leader in providing global fixed and mobile satellite communication services to government, military, NGO and emergency response users and supports all communications applications in land, aeronautical and maritime environments. Astrium’s secure COMSATCOM solutions are available under FCSA CS2, GSA Schedule 70, and other government contract vehicles. Astrium is the number one company in Europe for space technologies and the third in the world covering the full range of civil and defense space systems, equipment and services. sales@astrium.eads-na.com www.astriumservices.com