Why Scorecards Don’t Tell the Whole Story for the Department of Defense

This summer, it was announced that the Department of Defense (DoD) received “F’s” on two separate federal government scorecards. The first of which was for the organization’s progress on its Data Center Optimization Initiative (DCOI), and the second was for its transparency in IT acquisition as per the stipulations and requirements of the Federal Information Technology Acquisition Reform Act (FITARA).

For those unfamiliar with the DCOI, it is a federal initiative that ultimately resulted when the government conducted a survey of IT infrastructure and resources and realized that there were an inordinate number of data centers across government organizations and agencies. The DCOI was a call for agencies and organizations to begin to optimize and consolidate these data centers with an eye for reducing IT costs across the federal government.

FITARA was a necessary step by the government to streamline the IT acquisition process. IT solutions and technologies have an incredible pace of innovation, and previous acquisition methods and practices that worked for things like tanks and airplanes simply were too convoluted and too slow to adapt to the pace of change in information technology. The resulting FITARA scorecard was part of this process, it measures the progress agencies and organizations are making, while also being transparent with their IT acquisition and optimization initiatives.

So why did the DoD fail and what do its IT leaders do to remediate these failing grades?

How We Got Here
The DoD is enormous. If it was an enterprise in the private sector, it would be the world’s largest company. Within the DoD are the four branches of the military, all of which are massive organizations in their own right, and all of which have their own IT infrastructures and ongoing programs.

IT is an essential part of warfighting today, and delivers a wide array of capabilities to the warfighter in theater. As a result, all of the DoD’s new platforms are IT enabled and need data centers to operate. Each of the individual branches of the military has historically built their own IT infrastructure simply because the demand to field new capabilities has superseded a desire to better centralize IT. With so much demand for connectivity and the eruption of network-connected devices, it’s easy to see why each branch has wound up with so many disparate data centers.

This problem was compounded by world events. For almost two decades, the DoD has been fighting two simultaneous wars. In wartime, the military looks to expedite new systems, programs and platforms that can help warfighters accomplish their mission. That means that the DoD was encouraged to do what is necessary to enable new capabilities for our warfighters in harm’s way. Joint data centers that serviced multiple organizations would have taken significantly more time and planning and our military did what was right for the fight at that time.

Without a centralized strategy, the number of data centers exploded. Now, with a change in world events, the excess cost must be addressed. But there are hurdles that will continue to hinder progress, which we’ll discuss in a second.

The size and scope of the DoD also contributes to its problems with FITARA – a program that also encourages the consolidation of IT infrastructure. Being as large and global as it is, and moving as fast as it often has to in times of war, the DoD has admittedly struggled to keep track of its IT inventory and resources. But it’s getting better.

Unfortunately, as the DoD analyzed its infrastructures, more systems were categorized as national security systems which are not covered by FITARA. A national security system is one that involves intelligence activities, command and control of military forces, is an integral part of a weapon system, or is used to support military or intelligence missions. It is surprising that any DoD system would not be categorized as a national security system. However the DoD was then slammed for both its lack of consolidation and lack of transparency because so many systems were no longer on the scorecard. Effectively, the DoD failed for doing what it was supposed to do.

So Why isn’t it Getting Better?
If the DoD understands they have a data center population problem, why don’t they do anything about it?

Well, it’s not that simple.

First off, there’s the question of, “What is a data center?” Technically, any room with a handful of servers in it can be called a data center. If each of the DoD’s locations has a computer closet, which they invariably and necessarily do, it’s going to be nearly impossible to consolidate them and drive that number down.

But then there’s the bigger issue. What does the DoD do with the applications and workloads that are being run and processed by the real data centers that it’s looking to optimize and consolidate?

The natural and simple response is, “Move them to the cloud.” At least, that’s what most private enterprises would do to help streamline their IT operations and systems. But that’s not an easy task for the DoD.

The DoD handles some of the nation’s most sensitive and classified information. The data that the DoD deals in can quite literally be the difference between life and death. When dealing with such sensitive data, it’s understandable to be concerned about placing it in multitenant, public cloud environments.

There is also the question of how can the DoD can respond to cyber attacks if its data is in the cloud? What if the 30% of infrastructure that is actually used to control the rest of the cloud is suspected of being compromised in a cyber war? Can the military forces “hunt down” and eradicate threats in all aspects of the cloud? While the clouds may be “secure” in the sense of implementing security controls, is it easier to fight through a significant attack if the DoD has its own resources? Probably, which is an issue hindering DoD cloud migration.

Ultimately, it’s taken a while for the DoD to figure out how to use cloud infrastructures. And it took time for policies and initiatives such as FedRAMP and the DISA cloud computing requirements security guidance to be released and hit their stride. That created another delay in the DoD embracing the cloud, which then slowed down the DCOI process.

A great example of this is the fact that two of the world’s largest cloud providers – AWS and Azure –were just authorized in 2017 to handle Impact Level 5 workloads – which includes the most sensitive and controlled of the UNCLASSIFIED workloads that the DoD processes.

But that’s in the past, which means that the future is looking brighter. The DoD has figured out how to utilize and benefit from public cloud offerings. Also, DISA recently awarded the milCloud contract, which will develop and deliver military-tailored cloud solutions across the DoD. milCloud will create a cloud ecosystem that has parity with commercial offerings, but is tailored more to military specific needs and concerns. Through this effort, DISA will also make available many commercial cloud capabilities, like software and platforms as-a-Service to the rest of the DoD. The DoD now has the tools it needs to get the wheels of optimization rolling.

That means 2018 could be a much better year for the DoD’s DCOI progress.

What Can Industry do to Help?
When it comes to helping the DoD with its technology challenges, including its recent DCOI and FITARA stumbles, the job of private industry is simple – industry needs to be there to inspire and deliver innovation. We need to take all of the technological wizardry that’s out there and available and create solutions that can effectively and affordably help the government and its agencies accomplish their missions.

If industry is successful, and the DoD can more fully embrace the DCOI, the end result will be savings for the organization and taxpayers. The result will also be a more effective and efficient DoD with more personnel laser-focused on accomplishing the government mission and less focused on IT. It falls on industry to bring the next generation, innovative solutions to the government that will enable them to optimize their IT infrastructure, eliminate legacy systems and focus their budgets and manpower on mission-critical tasks and priorities.

I feel that milCloud is certainly an incredible example of private industry doing its part to deliver innovative solutions to government. But the window is wide open for more advanced solutions capable of disrupting the status quo and radically redefining how the government operates.