In each issue of GovConExec, government contracting executives give forward-thinking insights on the latest innovations and evolving technology—and how to manage and deploy them. This time around, the experts tackle BYOD and the new FedRAMP initiative and contribute to a special Soundoff on what’s ahead in C4ISR.
Bring Your Own Device (BYOD)
With federal contracting companies and government agencies alike rapidly moving toward using more mobile devices on the job—and developing ways for both civilian and defense agency personnel to safely and efficiently use these devices—the door is wide open to Bring Your Own Device. It’s an evolution driven by the outgoing federal CIO and continued by the incoming one, and it has been promised to increase worker satisfaction, productivity, and efficiency. But in addition to possible viruses, spyware, and distraction factors, devices bring with them a host of knotty policy, security, and budgeting issues. We asked several leaders in the field about what strategic changes the BYOD phenomenon is prompting, both internally and in their federal contracting services, what true benefits they anticipate, and what challenges most concern them.
Thomas Harvey, senior vice president
AT&T Government Solutions
Driven by IT consumerization and mobile application proliferation, BYOD has driven many IT departments into uncharted waters. According to Forrester Research, nearly 60 percent of companies allow employees to use personal devices for work and provide IT support for some or all of their devices. No entity can afford to ignore this trend, especially as Federal CIO Steven VanRoekel develops and implements a new federal mobile strategy.
Each organization must determine the extent to which it will embrace BYOD based on business needs. However, security and privacy are key considerations that all CIOs will face immediately when they start evaluating BYOD. To succeed, a balance is required, allowing them to secure data on devices while maintaining an employee’s personal information and access to applications.
Despite the challenges BYOD brings, IT solutions exist that allow CIOs to manage employee access to applications and secure lost or stolen devices. AT&T offers a wide range of vendor-agnostic solutions and can work with customers to develop the BYOD solution that best meets their needs.
J. Patrick Burke, senior vice president, intelligence, homeland security, and special operations
The consumerization of smartphones and tablets is driving, if not mandating, their adoption by business, creating a convergence of business and personal computing needs. The result is a highly mobile, 24/7, “always-on” workforce. People want to use their personal devices to support all of their personas—including professional. Offering tremendous potential for operational utility, convenience, and eventually cost savings, these devices also present significant security and privacy issues that, if not properly dealt with, could turn this party into an enterprise-compromising rave.
BYOD adoption is not a one-size-fits-all operation. It’s an incremental, evolutionary journey that needs to include device pilots and appropriately sequence engineering activities. That process starts with defined policy and procedure frameworks that pay special attention to the security, privacy, compliance, and legal ramifications. Establishing mobile policy and IT infrastructure first are key to successful implementation.
Mobile solutions today offer servers and firewalls to extend existing enterprise and network security policies across heterogeneous mobile platforms, providing encryption, certificates of authority, granular policy-driven firewall controls, content-filtering and device-management tools, anti-virus protection, and malware eradication, including jail-break detection and remediation.
What’s more, a paucity of mobile applications have passed any security testing. Even fewer are capable of replacing an enterprise’s mission critical, legacy applications. So, while the move to mobile computing has begun, the wholesale migration won’t happen overnight.
Within SRA, we have established a Mobile Capability Center focused on end-to-end mobile device solutions, created a mobile application software factory, added a Mobile curriculum to our internal university, and established a corporate-wide mobile users special interest group to help us better support our customers and employees as they look to join the BYOD party.
Douglas C. Smith, president and CEO
BYOD reflects the ubiquitous cellular capabilities upon which we are all dependent. As more and different devices are used more often, we are seeing increasing demands on network infrastructure with our customers. Specifically, networks are being stressed with exponentially increasing data transport requirements. Our government solutions drive for zero downtime and reliable security at all levels—after all, the network is what delivers the services to the device.
As a 30-year veteran in the communications industry, I’ve seen constant innovation; yet my recommendations have remained consistent in terms of effectively capitalizing on emerging technologies. It’s about complying with standards and enabling full interoperability and security. For this, we must build solutions that enable full mobility and security in any agency enterprise and mission environments globally.
The Federal Risk and Authorization Management Program (FedRAMP) is intended to provide the standardized security assessments, authorizations, and continuous monitoring that will get government agencies and organizations onto the cloud faster and smarter. But FedRAMP’s “do once, use many times” framework promises more benefits than simply enabling increased cloud use—cost and resource savings, improved transparency and trust, and more security confidence and consistency are just a few. In fact, according to the 2013 budget, the administration is counting on FedRAMP to realize 30 percent to 40 percent cost reduction through authorizing and continuously monitoring cloud services. We scanned government contracting leaders to see how they’re positioning their companies to enable government customers to realize these benefits—and where they see the challenges emerging.
Robert L. Otto, executive vice president
When I was CIO/CTO of the United States Postal Service, I advocated standardizing the certification and accreditation process across agencies, so I am excited by FedRAMP’s potential. It is always challenging to satisfy a broad audience with a solution that isn’t too prescriptive, but I think they are proposing a very pragmatic approach.
A big concern expressed about FedRAMP is that it doesn’t go far enough, eliminating some of the cost savings when agencies add their own needed controls. While this is true, I think it’s far better to start with a 50 percent solution than no solution at all. And without flexibility, agencies are unlikely to utilize the FedRAMP certifications.
Another potential gap is the lack of a formalized role for industry in the governance model. Cloud computing is based on shared responsibility and emphasizes continuous improvement. Without an industry-wide mechanism for updating or influencing the controls, we risk constraining innovation.
While the process is moving quickly, providers should recognize that it will take time to fully implement FedRAMP with initial bottlenecks likely. Patience is needed as concepts are transformed into best practices. A two-track approach of pursuing certification while using ad hoc approaches to meet current requirements will be needed for the foreseeable future.
Daniel Kent, federal CTO and director of solutions
While FedRAMP at first blush appears complicated and costly, with its 250-plus controls that must be addressed for compliance, it actually simplifies the scaling of that cloud provider as it sells to all government agencies. That value comes from a single accreditation that many agencies can leverage.
Only time will tell if the FedRAMP compliance structure meets federal agency security concerns. FedRAMP helps ensure that contractors have strong cyber-hygiene in their cloud infrastructure. Securing federal-agency cloud applications must be an iterative process, and FedRAMP acts as a strong first step. FedRAMP will also help to reduce redundancies if agencies accept the process and do not reject FedRAMP accreditations.
Industry has actively participated in the creation and maturity of FedRAMP. In operation, industry input and participation will continue through the third-party assessment program.
Nicole Geller, CEO
Many federal agencies embrace “cloud services” as a technology trend that has arrived. But there is not a consistent understanding of what those services are, how to best embrace them, and what is expected.
Enterprise security solutions is one key enabler needed to move forward. The government needs to ensure that solution providers understand the necessary security requirements. Individual mission areas are attempting to incorporate criteria in RFPs that mitigate offeror concerns responding to cloud service development. Companies must respond to these requirements each time and are challenged to do so. FedRAMP offers an opportunity to have one standard established with a common set of principles. Companies taking advantage of this newer process should be well-served in that they will have to respond only once to the issue.
FedRAMP can potentially speed cloud adoption and allow agencies to reshape IT operations with PMOs to ensure cloud functions and processes deliver expected results and benefits. Cloud computing and project management are linked—the cloud demands higher security scrutiny and scalability, and project management allows agencies to harness cloud benefits. FedRAMP establishing security standards can only help project management in cloud environments.
As a program management and acquisition solutions provider, we advocate anything that decreases risk, increases efficiencies, and promotes innovation. FedRAMP gets ahead of the curve and provides a service-centric solution promoting early requirements definition. The more thought leadership completed up front, the fewer program risks at later stages.
John Fitzgerald, CIO
Dell Federal Defense
FedRAMP is a move in the right direction for standard security configurations and improved security posture. Providing standard security profiles is essential to providing a secure computing environment. The security profile must be able to leverage and integrate into existing federal investment, at minimum for a three- to five-year time period while existing software and process is migrated to new standards.
With a refreshed national focus on cost control and reduction, and limited additional funding for FedRAMP, flexibility and patience are the priority for now. As with any security process, with FedRAMP, the government needs to continue to evolve and refine these control sets and mandate improvements for greater efficiency.
There is concern that government agencies will add on to existing requirements, making the established, tested base offerings less valuable and the overall process less efficient as agencies add on minor changes that require resubmission. FedRAMP must keep these changes to a minimum by moving toward standard security configurations. Continuous monitoring and mitigation needs to be a key focus area, and commercial public cloud service providers need a much higher degree of transparency in their security operations for government customers. The government needs to continue and widen industry participation while keeping a laser-sharp focus on maintaining open standards.
Susan Zeleniak, group president
For Verizon, the introduction of FedRAMP fits well with our own internal direction and strategy for designing, developing, and operating secure cloud services through our Terremark subsidiary. Verizon has worked closely with the GSA and other federal entities over the past two years to provide information and recommendations on security requirements and the authorization process. Verizon has also worked with NIST and provided support to its cloud security forums.
FedRAMP aligns with NIST 800-53 security controls and the FISMA risk management process. The FISMA risk management process, one of the most comprehensive security policies available today, is being positioned to support civilian, DoD, and intel customers in the future. FedRAMP’s continuous monitoring process helps ensure that infrastructure evolves with new security threats and vulnerabilities.
FedRAMP was intended to reduce the number of required certifications and accreditations. FedRAMP’s actual impact will be proven out over time as service providers go through the process and agencies agree to accept the FedRAMP authorization.
Special focus: Next-generation C4ISR
C4ISR has driven a revolution in military affairs that has transformed the nature of warfare and intelligence. Its evolution over the past 20+ years has proved to be a critical enabler and an opportunity-laden sector for federal contractors—one that can deliver combat and intelligence superiority and cost efficiencies through an era of shrinking budgets and looming global threats. Here is what several top C4ISR experts had to say about what the real moving-forward customer needs are, where the next innovations will come from, and the special network and security requirements the government contracting sector is working to address.
Bob Edmonds, vice president of Air Force programs
Military and civilian government agencies have both capitalized on advances in UAS technology and we’ve had an explosion of UAS platforms and sensors. However one of the most used phrases among senior USAF leaders highlights the dilemma: “We are swimming in sensors and drowning in data.”
Hence, the most pressing need now and in the future is managing large amounts of data—rapidly and efficiently accessing the disparate data sets flowing across the crowded spectrum and finding ways to collect, process, manage, disseminate, protect, and exploit useful information from them.
Some of the most critical next-generation products will be those that more fully exploit the C4ISR spectrum to enhance and leverage fifth-generation platforms and weapons. Additionally, we need to better understand how cyber technologies, beyond IA and IT security, can help meet mission needs.
In the face of severe government budget constraints, the government is going to have to partner successfully with industry to ensure technology helps drive down costs. One way to do this is by developing more autonomous systems with open architectures that integrate multiple sensors. This will allow users to pull what they need, and only what they need, when they need it from the network, reducing the number of analysts required and thereby lowering costs.
Terry Collins, vice president and general manager, electronic and mission systems
C4ISR is becoming more critical than ever in a resource-constrained environment. As government operates with fewer boots on the ground, having the tools to see ahead, evaluate the environment, and adjust plans before deployment facilitates more effective operations.
Real-time information is more important than ever. Signals exploitation, integrated naval warfare systems, and airborne multi-intelligence platforms are examples of how we’re focused on providing the warfighter immediate, integrated pictures of the situation at hand. It’s also critical that we continuously strive to make C4ISR capabilities both more affordable and more adaptable to the constantly changing strategic environment.
Biff Lyons, vice president, defense and security sector
C4ISR provides all the information necessary for a command structure and ultimately a soldier to complete a successful military operation. We see four links in this chain—sensors, assured communications networks, data, and actionable information. That chain is no stronger than the weakest link.
There is always a desire for a better sensor (more range, resolution, sensitivity), and there is a clear requirement to protect the networks using a variety of developing cybersecurity techniques.
But systems we have today produce an enormous amount of data that cannot be used in a timely fashion. We need to figure out how to use what we already have. This requires investment in data fusion and technologies that aggregate data as well as develop and exploit social networks. This requires better analytics so actionable information is provided. In this manner, soldiers are provided the tools necessary to confront the job immediately in front of them and around the next corner.
These technologies are directly applicable to any government program with a mission for timely action based on massive disparate data. Parsons is providing information assurance and cybersecurity products and services, as well as software that aggregates and fuses multi-INT disparate data that is reliably useful to the soldier and analyst in the field.
Greg Wenzel, senior vice president
Booz Allen Hamilton
The next-generation capability needed for C4ISR is convergence, or more simply, an integrating framework. Yes, there are some tactical needs in technologies, such as new sensors for changing threats, FMV exploitation algorithms, and cloud-processing capabilities like what DCGS-A is doing, but I believe the main need now, given future expected budget cuts, is the convergence toward an even more net-centric solution.
The value created in the interconnections between the sensors, ground stations, and PED “network” will essentially create new capabilities without the cost of a new program. The convergence toward a common network, common data ontologies, etc., will enable the government to amplify the value in the billions already invested in creating persistent surveillance (e.g., $2B ISR surge) in new ways. The net result is top-line more effectiveness of the mission and bottom-line efficiencies.
DI2E shows promise in a “hybrid” approach to achieving this integration on the ISR side, but I am not sure there is an equivalent on the C2 side. I believe this need has been around for years, but given budget uncertainties and a need to become more efficient, budget reductions may be the tipping point to actually achieving this convergence.
Chris D’Ascenzo, vice president
BAE Systems Intelligence & Security
A critical need exists for increased interoperability throughout the C4ISR community. The development of open-architecture products is essential to meeting the U.S. Army’s demand for solutions that achieve secure communications and data integration. There is a need for next-generation products that support coalition networks. It is a priority to have access to cutting-edge technologies such as battlefield sensors, multiple waveform radios, and products that simplify combat-vehicle C4ISR integration.
Our customers need commercial, off-the-shelf solutions that enhance network integration, improve product sustainability, and address technological gaps. The development of innovative open-architecture solutions will shorten product development times, speed up repairs, and allow for real-time software and systems updates, even in the field. At BAE Systems, we provide our intelligence and defense community customers with tools that promote and support interoperability. GCE
Compiled by Gerry Simone