JWCC, zero trust, user experience & a new cyber talent strategy: DoD CIO sets FY23 priorities

JWCC, zero trust, user experience & a new cyber talent strategy: DoD CIO sets FY23 priorities
John Sherman CIO

Mr. John Sherman, Principal Deputy Chief Information Officer, presents keynote address from the Pentagon Briefing Room for the Cyber Beacon virtual event, Dec. 3, 2020. (DoD photo by Marvin Lynchard)

WASHINGTON — The Pentagon plans to award the first task order under its Joint Warfighting Cloud Capability (JWCC) this fiscal quarter, one of many priorities the Defense Department’s chief information officer is set on accomplishing over the course of this year, he told Breaking Defense in a Jan. 27 interview. 

Four vendors — Google, Microsoft, Oracle and Amazon Web Services — are competing for these individual task orders under the JWCC multi-cloud contract to build out DoD’s key military cloud computing backbone. 

Sherman said that he’s also planning to release new guidance under JWCC within the next few months to ensure DoD gets the best value for its dollar and mission outcome instead of “running on autopilot.”

“Very likely I’m going to be signing out some guidance in the next couple of months here about how I expect the enterprise to leverage JWCC in terms of what must go in there and where are some other areas that could [have] some flexibility,” Sherman said. 

“I’m not gonna do anything capriciously or just with a sledgehammer here,” he said. “This will be with a surgical knife about where things need to go, and…if I was my boss, I would expect the CIO to be doing this and make sure the government is getting the best value for our dollar and the very best mission outcome. And that’s why rather than just let this kind of run on autopilot, there is going to be some guidance about how this works.”

But while JWCC is his primary focus, Sherman made it clear that he has plenty of other topics on his plate.

Zero Trust By Fiscal 2027

A major focus for the year is implementing zero trust, a framework that assumes networks are already compromised and need authentication, which DoD has “already moved out on” under Randy Resnick, director of the Zero Trust Portfolio Management Office, Sherman said. 

Sherman has set an ambitious goal of implementing zero trust by FY27 across the entire department. Last November, DoD released a zero trust strategy and roadmap outlining 91 “activities” to get to “targeted” zero trust, which are a required minimal set of activities DoD and its components need to achieve, and 61 advanced level capabilities that provide the highest level of protection. 

“Now, remember, we’re not telling the components how they’re to do this, they have some optionality with different courses of action…So Randy and his team are statusing this with the components,” Sherman said. “And how I’m going to make sure this gets to where it needs to be is, I have the consolidated planning guidance I put out every year at the beginning of the year and then the budget certification I have…towards the end of the calendar year. And that’s in addition to other oversight mechanisms to make sure the components are getting after that.”

Earlier this month, Resnick said red-team hackers from the National Security Agency and potentially from the military services will launch a months-long series of attacks, beginning this spring, on zero-trust security systems on clouds run by the four JWCC vendors. 

“We saw that there were four CSPs, or cloud service providers, that were delivering services in the future under the JWCC contract,” Resnick said Jan. 19. “and so we said to ourselves, ‘Why don’t we approach those four contractors — independent of JWCC — but to bring up the subject of zero trust with them, show them what our definition of zero trust is… and ask them whether or not they believe they can do zero trust to the target level within their cloud infrastructures.”

User Experience: An Area You’ll Hear More About This Year

Directly following zero trust on Sherman’s list of priorities is improving user experience.

In January 2022, an “open letter” via LinkedIn from an Air Force officer begging DoD to “fix our computers” before investing in other areas went semi-viral. The DoD CIO Office responded in its own LinkedIn post, signed by Sherman and the CIOs of the Army, Air Force and Navy, saying they took the dialogue “to heart” and that more work needs to be done to make user experience better.

You’re gonna hear me talking more about this [user experience] this calendar year,” Sherman told Breaking Defense this week. “Now I know there’s the whole ‘fix our computers’ thing from last year. We have taken this to heart … We [are] working with the military department CIOs, this is a priority. There is budget guidance on this and I’m going to be holding meetings with the service CIOs…and others to determine exactly how each one is going to get after this.”

He added DoD has “done a lot at the enterprise level” when it comes to improving user experience, crediting the Defense Information Systems Agency. 

As part of his efforts to improve user experience, Sherman said he’s “been talking to a number of folks down in the trenches doing software development folks out in the force…what is hitting them out there? What is the hang up?”

“And some of it is on base transports…there’s dated hardware, perhaps on installations,” he said. “When I mean hardware, I mean routers, switches. Yes, some of the hardware of the laptops themselves are older. We probably need to upgrade and are upgrading a number of those.”

DoD also needs to continue doing better on software, Sherman said, and a new software modernization implementation plan will be released “soon” from Deputy CIO for Information Enterprise Lily Zeleke’s office that will build “on the good DevSecOps work that’s already going on across the services.”

A New High-Level Cyber Workforce Strategy Will Be Released ‘Soon’

The Pentagon wants to recruit and retain top-level cyber talent and is planning to release a strategy to show how it will do so. Sherman said the strategy is “just about ready,” but it won’t be a long document. Instead, an accompanying implementation plan that will be released after the strategy will be more “granular and specific,” he added. 

The strategy will showcase how DoD is going to evolve its cyber and digital talent approaches and leverage tools already in place, like the Cyber Excepted Service and work the department has been doing with directive 8140 on areas like the defense cyber workforce framework. Last June, Sherman said he was working with Craig Martell, the Pentagon’s Chief Digital and Artificial Intelligence Officer, to develop the strategy. 

“So I’m excited about this,” Sherman told Breaking Defense  this week. “It will be high-level to kind of put the marker down on this, and then an implementation plan that will follow some months later that will really get into the granular details of it.”

Sherman’s other priorities this fiscal year include things like electromagnetic spectrum operations and getting the Cybersecurity Maturity Model Certification version 2.0 program, which aims to strengthen the cybersecurity of the Defense Industrial Base by holding contractors accountable for following best practices to protect their network, into rulemaking.