DISA Accelerates Cloud For Warfighters For All Domain

WASHINGTON: DISA is developing capabilities to deliver the speed that military leaders say could provide the US with a decisive advantage in future warfare. The speed in this case relates to how quickly warfighters and combat support services can tap resources in the DoD cloud. Some early pilots have reduced the cloud deployment time for mission applications from more than a year to several hours.

Leading the way is DISA’s Cloud Computing Program Office, a self-described “nimble team” of technologists and acquisition specialists that says it moves with the “Velocity of Action.” Like much of DISA, CCPO isn’t in the public spotlight, but its largely unseen work is integral to the success of DoD’s vision of rapid cloud adoption and software modernization for warfighters as well as combat support.

One of the CCPO’s major initiatives is called DoD Cloud Infrastructure as Code. The term IaC, widely used in the IT industry, is a clunky bit of jargon, but the underlying purpose and function are critical to making DoD’s cloud environment as agile as possible.

IaC uses computer code to perform the complex series of tasks required to activate and deactivate cloud resources — think, for instance, servers in a data center — to support mission applications. These tasks can be performed manually by humans working on hardware, but with IaC, most of the work can be automated. Automation takes the form of templatized instructions that are encoded and then processed and executed by machines. The instructions can be functional or procedural, but in both cases, the result is to spin up or wind down cloud resources — i.e., infrastructure — as reliably, predictably, and efficiently as possible.

“DoD Cloud IaC is important because it allows mission owners to focus on their missions,” CCPO Product Owner Dave Lago told me. IaC “remov[es] the heavy burdens and resourcing costs that come with cloud networking environment development, audit, identity, and underlying security services. When DoD entities deploy the IaC baselines, critical capabilities get to the warfighter faster.”

How much faster? Much faster. “Prior to deploying a mission application or data into the cloud, mission owners have to go through complex, time-consuming cloud design, provisioning, configuration, and assessment and authorization processes that can take a year or more to complete,” Lago explained. “Whereas, DoD Cloud IaC reduces this exhaustive process down from months and weeks to potentially as little as 2 hours, by providing pre-configured, pre-authorized IaC templates that rapidly build secure cloud environments through automation and the use of cloud service provider [CSP] managed service offerings.”

Just as important as the speed enabled by automation is the security of the cloud environment. CCPO’s model emphasizes hardening, patching, vulnerability scanning, and host-based security, Lago said, as well as continuous monitoring using security policies that enforce the secure configuration of cloud resources.

DoD Cloud IaC supports a “wide spectrum of DoD use cases and is ideal for DoD entities that want to rehost, rebuild, or refactor their applications” to take advantage of CSP-managed services and security tools, Lago said.

Lago highlighted a recent case with the Army Enterprise Research and Development Center Construction Engineering Research Laboratory. This DoD organization was part of a pilot effort that migrated its Enterprise Sustainment Management System to a DoD Cloud IaC baseline, which resulted in significant resource savings, Lago said. Rather than several months of design, configuration, and security compliance work, they were able to migrate their workloads in “mere hours.”

DoD Cloud IaC will play a key role in enabling future Joint All Domain Operations. The reason is that warfighters and combat support departments will use the DoD cloud for the infrastructure (e.g., cloud servers) required to support mission applications. In a joint force operation, for instance, the Air Force, Army, Marines, Navy, and Special Operations could all be independently spinning up and winding down warfighting applications in the DoD cloud as needed to support each part of the mission.

The DoD Cloud IaC project began last March. There are two baselines: one for Microsoft Azure and another for Amazon Web Services. DISA formed Collaborative Research and Development Agreements (CRADAs) with the cloud providers to “enhance the IaC baselines” that CCPO developed, Lago said.

The Azure baseline has been used in numerous pilots with military services, combatant commands, and Fourth Estate agencies and is expected to receive an authorization from the DISA Risk Management Executive (RME) within the next several weeks, Lago said. The AWS baseline is under development and has successfully completed an initial pilot.

The DoD Cloud IaC is just one of several major CCPO initiatives. Perhaps most visible: As the pandemic set in last spring, the CCPO played a key role in enabling maximum DoD-wide remote work using Commercial Virtual Remote Environment. CVRE provides collaboration tools for telework, such as chat and video conferencing, on the Non-classified Internet Protocol Router Network (NIPRNet).

On Jan. 31, CCPO transitioned from the DoD CIO to a standalone center within DISA. This transition had been planned since the CCPO’s founding two years ago. The transition means CCPO now gets operational direction from DISA rather than from the DoD CIO.

Ultimately, Lago said, CCPO and its partners will continue enhancing and refining DoD Cloud IaC to “help [warfighters] build secure cloud environments in repeatable fashion using automation” — all in service of achieving the speed the US needs for that decisive edge.