How Insurance Works

Mark Orndorff, Mission Assurance Executive (Acting)


MARK ORNDORFF:
Okay, so I was told that if I walk around, they won’t be able
to follow me on the video. So, my gift
to those on video is I’m going to walk around, so you won’t have to
look at me, okay? So, that’s my gift to you. Those in the room,
I’m sorry. I would hide or do something,
but, you know, so be it. So, first off, I wanted to
introduce a few folks. I think most of you who’ve ever been
to an industry day at DISA have seen me and heard me
and all that, but there are some new faces
in the group that popped up
on the re-org chart this morning that the boss showed, that I wanted to
get up here on the podium and let you get
some face recognition. So, first off,
Mr. John Hickey. John, if you would stand up,
turn around, get on camera, say hello. [APPLAUSE]
JOHN HICKEY: Hello. MARK ORNDORFF: John is
the new authorizing official, also known as DAA. So, he’ll be taking up
that responsibility and cleaning up
a lot of the mess that I’ve created
over the last couple of years. [LAUGHTER] The next new addition
to the team is Mr. David Stickley. He is the Vice PO
for Mission Assurance. The titles are still
under construction. I think the boss said that.
I hope he did. But titles are not important,
necessarily. The work is what’s important, but Mr. Stickley is leading
right beside Mr. Keeley, who unfortunately couldn’t
make it this afternoon. The delivery
of cyber capabilities– I know the boss pointed out that’s one of
his key priorities, so Mr. Stickley,
Mr. Keeley, that’s the team that’s going
to be carrying that forward and again cleaning up
much of the mess I’ve created over the years in the cyber defense
capability area. Next new addition
is Mr. Pete Dinsmore. Pete, stand up, please. [APPLAUSE] Pete is the DCTO
for Mission Assurance, so he’s the brains
behind the rest of us, actually figuring out how
we solve cyber defense problems and what
we should be doing next, as we work through
security architecture and coming up with the
innovations and solutions, okay? So, once we get to the
questions and answer portion, if you have hard questions, I’m going to be leaning
on my new battle buddies to try to get you accurate,
meaningful answers, okay? All right,
let’s go to the next slide. So, I think this is somewhat
consistent across the years. I always like,
in talking with industry, to frame the discussion
with the description of, “What problem is it we are
actually trying to solve?” as opposed to saying, “When is the next RFP going to
hit the streets?” Okay? Because I think
it is important that we have
that broad understanding of what we’re trying to do,
what we’re trying to fix, so that you can
interpret RFIs and RFPs and see the higher level
commander’s intent, objective, problems, statement, et cetera.
So that’s what I’ve got here, and this slide is
composed of information. It’s a little bit
in the small print, so I’ll read it to you. It’s composed of information
from the JIE ICD. What does ICD stand for?
Come on, brains. – Initial Capability Document. – Initial Capability Document. The GIG 2.0 ICD and the cyber
situational awareness ICD. So, these are all documents
that were created outside of DISA
by Joint Staff, Cyber Command, DOD CIO to try to describe
what problem we should all be working on,
as well as the JIE OPS, CON OPS and the Chairman’s
white paper on JIE. So, I really like this slide. I really like it,
not because it’s a neat slide, but because it helps
articulate and clarify what we really
are trying to get after to improve the defenses within
the Department of Defense, okay, the cyber defenses within
the Department of Defense. And one of the key themes
that comes out in this slide is that it is really not talking
about technology, per se. It’s not saying we don’t have
an adequate firewall, or we don’t have a tank
that can go a certain speed, or project a certain distance. It’s talking about
enterprise defense of the cyber battle space across
the Department of Defense. And if you read through
the details on this slide, almost every one of them talks
about the gap that’s created by having stovepipe efforts– all good,
all well-intentioned, all effective
in their own right, but stovepipe efforts
by the services, the agencies, the combatant commands
that leave us without the visibility
that we need to adequately defend across
the entire enterprise, okay? Does that make sense? So, that, to me, says DISA,
you need to step it up a notch, because DISA is all
about enterprise capabilities. It’s all about joint. It’s all about pulling
together the equities, interests, capabilities
of the services to deliver enterprise solutions. So, I see this slide as a tremendous challenge
for us, as an agency. Now, there are those
who interpret this– and to be honest,
I was one of them, until I got my mind right– that DISA should do more of
this actual cyber defense work and that we should solve
the problems for the services. Now I think
that’s really the wrong idea, the wrong concept, but that we should be
right there in partnership
with the services, so that we leverage
their capabilities, we enable them with
some enterprise solutions, but we certainly do not want
to disenfranchise the services or imply that DISA
is going to take over and do all that cyber defense
stuff for everybody, okay? So, as you see
the next two slides, they will try to
reinforce this message that as we get
enterprise level views, as we get standardized
security topologies, as we reduce
the avenues of tech, all that is done in a way
that gives the services the ability to execute their
cyber defense responsibilities, and we’re building
that completely in partnership with the military services,
okay? Now, one of the things
that’s come up– and I’ll just say it right here
to get in front of it. I could’ve probably put it
anywhere in the briefing, but I’ll just
get it right up front– is the comment that, “Are you putting
too much dependence on an enterprise approach,
a single security architecture?” So, now you’ve got a single
point of failure, okay? That’s definitely a concern that was well thought out
and considered, as we built the strategy,
built the architecture, and proceeded
with the acquisitions. So, if you look
at the approach, the way I characterize
the previous approach, we’ve sort of got some diversity
just by random activities and maybe the chaos theory
that if everybody just goes out
and does their thing, you’re going to end up
with some randomness, okay? But what we’re doing now
is we’re designing technology diversity
into the architecture, designing it so that we have
reinforcing capabilities and ensuring
that those capabilities reinforce themselves
in a logical, effective way, but do that in a way
that gives us that enterprise level view,
where the Legacy approach, it says everybody just go off
and meet a security guide– do it however you see fit,
but do it in isolation– creates those pockets
that adversaries can work within and then become effective. They become effective
in exploiting and attacking against the Department
of Defense, okay? Next slide. So, busy slide–
I apologize for that– but it really emphasizes a few,
just a very few core concepts and one is that we
have some enterprise level
boundary defenses. On this slide,
this one is really focusing on the unclassified network
as an example, but there’s a companion slide
on the classified side that talks about how we have the companion set of enterprise
level boundary defenses. That gives us the opportunity
to mitigate a number of threats effectively with one ops center,
executing counter measures, monitoring and managing
those devices, that set of technology,
key points in the network. Right behind that, we have
the regional security approach, where everybody
has heard JRSS. That’s the main effort that
we’ve got ongoing this year, next year, and possibly
extending on beyond that. That, again,
enables the services, enables the services to do their
cyber defense responsibilities, execute their responsibilities
with the standard solution that’s operated
and maintained by DISA, but run by
the military services. So, we’ll take care of
the health and welfare. We’ll keep it alive. We’ll patch it. We’ll maintain it. But the policies,
the configurations, the management,
the cyber defense activities will be done
by the military services leveraging that platform. We’re able to put in
a lot of high tech, latest technology
into that regional stack that you couldn’t
afford to do at the 17– what’s our latest number, 1,700? 1,700 points of light
that we have tried to do before. So, it gives us an advantage
in terms of how we can approach
that regional layer of security. Don’t have any details
on this slide, but on the other key defense
point is the core data center, where we have a security
architecture in place today that will evolve over time, that puts the appropriate level
of protections at the host and the boundary
for the critical application supporting
the Department of Defense. Before I go to the enclave,
I wanted to point out a new addition
to the concept, and that’s this
commercial cloud off to the side
for levels three through five. And I know, if you’re
in that cloud security business, you probably
are painfully familiar with the level one, two,
three, five, six, all that kind of stuff. Three through five is the
sensitive but unclassified work that we are trying
to find the appropriate way to put at least a set of it into a commercial cloud, either on premise
or off premise. What we’re showing here
is how we are leveraging a virtual slice of the Joint
Regional Security Stack to give us the protections
and visibility that we need for the workload that goes into
that commercial cloud. A core part
of where we’re going, very important
strategic direction for us and for the Department
of Defense; and I’ll probably get a question
or two, I suspect, on that when we get
to that point. Enclave and end point. So, the military services
run the end points. The military services
run the enclaves, but we provide some enterprise
level capabilities to help them, help empower them and enable
them to do that function. One of the things– and you’ll
see this in red here– is host-based security
system, HBSS. We’re approaching
on the end of life of that contract vehicle, and one of the top priorities
for Pete Dinsmore– you feel that bus
rolling over your back? Okay, that’s me, yeah. –is to figure out the strategy for the next generation
of end point defenses, okay? At this point, I’m not sure
we even have a strategy to get a strategy,
but that is one of the things Pete is absolutely focused on, to change the dynamics of what
the Department must accomplish versus what an adversary must– is able to do
to get an advantage. The balance of power
is in the wrong direction. It’s definitely
an asymmetric battle right now, with us having to get it
all right, all the time everywhere or pretty darn
close to that, and them just having to find
a point of presence that they could get a foothold,
and then they spread and have a broad ability
to do damage. So, Pete’s focus is to come up
with a new strategy that will then lead
to an acquisition strategy, but it will be focused
on coming up with a more effective
and more efficient and more consistently
executable approach to defending the end points. Did I get that
about right, Pete? You got it solved yet? PETE:
In another hour. MARK ORNDORFF: Okay, I don’t
know why you’re sitting here. I don’t know
how that one worked out. I’m going to talk
about the cyber SA piece on the next slide,
so I’ll skip that here. The color coding hopefully
aligns to your handouts that I guess were
downstairs or somewhere, that give you
the specifics about what specific contract
activity is intended on each one of those
green-shaded activities, and then the red being
the big re-engineering new solution opportunity
that Pete is working on, as we speak. Let’s see. One last thing
I sloughed off of this slide is a mobile device manager. As I think everyone knows, one of our major efforts
recently was to get
an enterprise MDM in place. That already is up
for a re-compete, so that will be coming out on
the streets here shortly, as well. And one of the things
that’s aligned to that is Pete’s effort
to look at end points, because I kind of think
of my iPad as an end point, even though we have
a different strategy for securing iPads and androids
than we do for Windows desktops. So, part of what
Pete’s looking at is should that be a single
end point protection defense strategy, okay?
Next slide. I’m trying to make sure that
most of the questions go to Pete, not Mark. – I’m noticing that. – Okay, all right.
How am I doing? So, Cyber Situational
Awareness Analytic Cloud– you know,
we talk a lot about JRSS, Joint Regional Security Stack, but I really think
that this analytic cloud should be and is
the most important activity that we have on our plate
right now. JRSS is a great concept. It will provide
advanced capabilities. It will be more efficient. It’s a great,
great step forward, but really only if we have
the analytics that go with it, only if we have
the analytics to go with it, because the cyber defense
work force has got to be able to see
what’s going on, on the network to know
how to leverage and apply those countermeasures
and the capabilities that are provided by the Joint
Regional Security Stack. Static defenses without
analytics are not going to work. They’re not
going to be effective. We’ve got to have the analytic
platform to go with it. We had a session
off at Fort Huachuca, hosted by Mr. Creager, our very best partner
in this effort, our very best effort,
Mr. Mike Creager. And one of the groups
went off and worked through a whole array
of cyber use cases, talking about various
threat activities, and said, “How do we identify that threat, and how do we
counter that threat?” It was a pretty
interesting group, all pros at actually
doing this for a living. And what came out
of every single use case was that JRSS by itself
would not provide the visibility needed to actively engage
with that threat scenario. JRSS, enriched by data from
the Internet access points and enriched by data
from the core data centers, and enriched by data from
the enclaves and end points, HPSS, then gives you
that visibility that you need to see the threat activity,
and get in front of it, contain it, stop it, engage with the offensive
that’s part of the scenario, but it gives you
all of the visibility that you need to be effective,
where JRSS is just a piece, an important piece,
but just a piece of that larger cyber
situational awareness that’s really
the most important message. So, one of the things
I wanted to highlight is CSAAC is not
big data analytics. CSAAC’s includes
big data analytics, but our Cyber Situational
Awareness Analytic Cloud is intended
to be capability focused, leveraging
the appropriate technology to achieve the effects. Okay? So, we talk about
the big data analytics, because that’s kind of sexy.
It’s in the press. Everybody likes to talk
about big data. It’s important advancement
in the analytic cloud, but we’ve also got some
great commercial technology that is not going to go away. It might be tech refresh
and re-competed, but we’re going to continue to
leverage commercial technology, where that’s the best solution. We also have some traditional
structure database components, where sometimes
that’s just the best way to deliver a capability. Bottom line is, it’s all about
the cyber workforce. It’s all about delivering them
the capabilities they need to see and defend
the DOD networks; and by the way, when I talk
about the cyber workforce, I’m using it
in the broader sense, where we have
the cyber operators that do
the operating defense 24/7, as well as the emerging
cyber protection teams. So, if you’re a cyber protection
team, coming into FOC, I see this as
your major weapons system, as the place
that you can go to hunt and see what’s going on,
on the network, find out what needs to be done, and then execute
countermeasures, as appropriate, leveraging the technology across
the entire spectrum, okay? Not saying
that’s their only tool kit, but I do see
cyber protection teams as probably priority one user
of the analytic cloud, right side-by-side with
the cyber defense operators and the core workforce
that you see in DISA every day. And the services– sorry. I was guilty
of leaving the services out. Should listen
to my own presentations every once in a while, right? Okay, so that’s
the slide portion. I think
that’s the last slide, right? Yeah,
and the intent was to have plenty of time
for questions of Pete and Stick.
[LAUGHTER] So now is your opportunity
to put them on the spot or me, if you have
any easy questions, okay? Have I effectively stayed
out of view of the camera? – Hello, Mark. This is
Bernard Durham from Lindquist. Earlier, we heard a presentation
from Jessie Showers that referenced the OSS. How do you see the OSS
feeding into the architecture you just presented? – Yeah, so let’s go back
one slide, and then we’ll go back
two slides. Okay, whoops,
let’s go here first. So, the OSS is part of
the data source down here for the core data centers. There’s a support system there. There’s a core support system
that Jessie talked about that manages
the IPs and the DISN. So, that’s a key data source
coming into the analytic cloud, and that really gives us the Enterprise Service status
piece primarily, but also some key data
for some of the other functional capabilities
inside of the analytic cloud. We use that today
as a core source of data for managing Enterprise email,
for example, okay? Let’s go back to the next slide,
the previous slide. So, inside this bubble here,
Enterprise Operations Center, the tools that they use to actually configure,
manage, and maintain the backbone Enterprise and the core data center
is that OSS suite of tools that basically gives the
Enterprise operations centers the wrenches and screwdrivers
that they need to do the day-to-day tasks.
Does that– okay, next question. – Mr. Orndorff, I have one
from the virtual audience. What is DISA’s position on using
vendor proprietary protocols that eliminate others
from competing for emerging opportunities
across JIE, JRSS? – Okay. [LAUGHTER] When did you stop
beating your wife? [LAUGHTER] Okay. [LAUGHTER] So, what is our position
on doing bad things? We shouldn’t do bad things. [LAUGHTER] We’re opposed to that. Vendor proprietary protocols
and eliminating competition, obviously, we try to
avoid doing that. I do think there are situations
where we’ve got to innovate in ways where we accept
some compromise. We make some compromises
with the vision then to get away from
that over the long-term. I’d kind of be interested
in some specific examples where we’ve done that. That’s
really inhibited competition; because I think,
in most cases, if we do something like that, it’s because there is
no competition, right? And if we have done that, or you see us heading
down that direction, I would say, first off,
engage in the RFI process and let us know if you see us
heading down that path before we get there; and then
if we are already there, and you see where
we’ve done something that’s inhibiting competition, you let Stick or Bill
know that we’ve done that, and we need to relook
at our strategy, okay? Next question. No more questions? – Here’s one. – Okay. – Hi, Eric Lewis
with Proofpoint. Do you envision
some of the capabilities that are involved here,
you know, with the rest of DISA
moving towards cloud, do you envision some of
these security capabilities maybe at the IAPs
or other places actually leveraging
commercial cloud capability? – Yeah, that’s
a great question. You know, we had an RFI
out on the street, where we got some pretty
exciting responses back that talk about opportunities of how we might be able
to do exactly that. So, we’re in the process
right now of reviewing those responses
and trying to make sure that the acquisition strategy
is open enough to allow for competition
that includes those options, as at least an option
for consideration. Stick, anything
you want to add to that? No? Good. I did want to use that sort of
as a launching point to highlight the importance
of the RFI responses. A lot of people over the years
have told me they read an RFI to try to figure out
what it is we want, so then they can tell us
what we want to hear. And that really
isn’t what we want. What we want is information to help us go
in the right direction and to tell you
what we’re thinking, so that you can help us adjust, if we’re not thinking
about the problem the right way. So, I think some of you
have done a great job of telling us,
“Hey, try a different idea; here’s a different thought
for you to consider.” Others have had that, and you talk about it
behind our backs, but talk about it
in front of our face. That’s what RFIs
are all about. So I would just ask you to be
open and frank if you see us– not insulting, okay? Open and frank
if you see us not thinking about the problem
in the right way, and use the RFIs
as an opportunity to help us
take a broader perspective. Another example of that,
by the way, is EMES. We’re going to be doing
the EMES follow on. We tried this last time
where the acquisition strategy was trying to fairly compete
COTS against GOTS strategies, so you could bid
whichever one you want. When we did
the after action assessment, I think the feedback
from industry and the feedback
from my own team was it wasn’t as level
a playing field as we would have liked it to be
for a number of reasons, having tried it
for the very first time. We’re going to try it again; and as you see
the RFI and the RFP, please watch
for that to make sure that we are looking
at it properly to allow COTS and GOTS
to compete, because we really
are not settled on one strategy
versus the other. We want to have both
on the table, and let them compete
head-to-head, okay? That’s kind of a tangent
from your question, but there you go. Okay, anything else? Somebody with a microphone? – Yeah, Mark,
how are you today? – Good.
– You look good. Two-part question, actually. One, what is your collaboration
piece with the IC right now? I know you’re doing a lot
of work with NSA and others, but can you go into
a little bit of detail on what you’re doing to kind of
cross-utilize capabilities? Because they have some
that you don’t, and so on. And then, second part, of that mix of things
you have up there, what is the basic split between
services and then product, hardware/software. – Okay, Pete,
is there anything at all that we can say
to the first question? – That’s what I was
just thinking through. – We do work well with them in ways that we aren’t
going to talk about here, okay? Because I think,
if you just look at roles and responsibilities,
it’s pretty obvious. We’re trying to leverage
commercial technology to address the threats
and provide the platform that commercial technology
is best suited to address. They, our intelligence
community partners are doing the nation state
to nation state attack scenarios that leverage things
that commercial technology is not necessarily
able to address. So, that partnership
is very tight. We work incredibly
well together, I think, and some of these capabilities
are an integration of both. I think I’ve probably said
as much as can be said, yeah. – [indistinct]. – Yeah, yeah. So, I was lucky to see Pete
today. He spends so much time
over there. Okay, was there a part two
to the question? – Yeah,
with the mix of services. – Yeah, so the green-shaded work
is primarily the service side, and then the host-based
securities system– actually,
with the exception of JRSS. I think we– yeah,
with the exception of JRSS, will be a capability. HBSS next generation. I don’t think
we’re even going to– we’re going to
disassociate it from that name just to make sure
that nobody is thinking that we want another
of what we have. But the replacement for HBSS
is a capability. Joint Regional Stack
is a capability. The rest of these are primarily
service offerings. Did I miss any, Chip?
Okay. – Sir,
from our virtual audience. Will the new HBSS use GOTS
integrated tools with COTS, as it is today? – Well, if I were
replying to the RFI, I would look
at the requirements and say
what’s the best solution? And if it was GOTS and COTS, or all of one,
or none of the other, you know I would offer that up
as part of an RFI response. But I do not want to be dictating and answering
that question, because that’s counter
to the conversation that we want to have, okay? All right, I’m glad they asked
that question, just so I could say
that I won’t answer it. [LAUGHTER] – We still have a few more
from the virtual audience. Do DISA organizations
follow the federal CIO’s digital playbook when planning
and building digital services, whether those services
are public facing, industry facing,
or DOD facing? – Okay, so we’re all looking a
little– all my backup guys had
the same look that I have. Huh? – I haven’t heard that term. – It’s probably a term issue. We certainly are aligned
with FED RAMP. We’re aligned
with all of the NIST publications and standards,
and we’re leveraging that to the absolute
maximum extent, more than we ever have
in history. The term playbook has got us
a little bit stumped up here, but, you know, what’s the
expression? We’ll call… Huh?
– Phone a friend. – Lifeline.
– Lifeline, lifeline, yeah. Okay, we’ll figure this out
when we get home; but as it stands right now,
what I can say for sure is we are leveraging FED RAMP
as the absolute core and foundation
for everything we’re doing on the commercial cloud,
from accreditation, authorization standpoint. We’re totally aligned
with the standards that come out of NIST,
and I think mobility, we’re leveraging that,
as well. Playbook stumped me though. Next question.
– All right. How will you create
appropriate threat indicators, policies, or rule sets
on the Enterprise seams listed in COTS components
without a comprehensive threat intelligence platform? – Okay, so that assumes we don’t have a comprehensive
threat intelligence platform, which I basically
reject that assumption. So, I think we have
an organization down the street that provides
a pretty good capability– maybe world class even– threat intelligence capability. So, I think the assumption
is wrong. Was it a product-based question? – It might’ve been
a product-based question, because there are products produced [indistinct]
share information. – Yeah, so that is an area, because we have
the partnership with the NSA, we have an invested money
in buying a commercial service to augment what we get from
our intelligence community. I know that topic
comes up frequently, and it’s really
a cut line issue, not that there’s no value,
but if you have the best intelligence organization
in the world, you kind of feel like maybe
that’s not the biggest gap that you’ve got in capabilities. My son works there, by the way. [LAUGHTER]
I know they’re the best. Okay, next question. Any more? Yes, sir. Wait, we’ve got to wait
for a mic. – I don’t know
if I need a mic. – Well, there’s people out
in video land or something that would be deprived
of your wisdom, if we didn’t bring the mic. – I wanted to ask
about the insider threat. Without getting into details, do you feel like
you’ve made progress on keeping track of that one? – Okay, yeah,
next slide, please. Okay, I’m glad
you asked that question. I meant to have that
in my speaking notes; but since I don’t use notes,
I forgot it. The analytic cloud,
one of the priority efforts inside of that analytic cloud is
addressing the insider threat; and, again, without getting into
the absolute specifics of it, the guys working this
have come up with some amazing, amazingly scary,
but amazing products that help us see through
the data sources that we have here,
here, and here, where we have indicators of potential insider
threat activity. The stuff is just flat amazing,
and their ability to spin and pivot on information
is really impressive. I’ll just give you
a quick example, because I think we do have
a couple more minutes, right? Am I doing okay on time?
Yeah. They showed me one day–
I think it was– Dan, was it Tuesday?
I think. They showed me how they could
see across the CIPRNET, where there seemed to be an
anomalous amount of information going into a single point, okay? Anybody remember
Private Manning? Right. And then they showed me
how there was unusual– our use of removable media
at points in the network, okay? Do we have
any of those two things happening in the same place? Nobody asked us that before. Come back on Thursday,
and they had a new analytic dropped into the cloud
that brought those two together and showed
how you can take questions that somebody comes up with by seeing an insider threat
analytic on one day, and two days later
have a whole new analytic that answers a question that had
never been asked before– not that that was
the hardest question or the most sophisticated
insight or anything, but I think it shows
the power of the engine and the power
of the data sources that we have
available to us to get in front of
insider threat. I know you all have heard me
previous years say, As far as insider threat goes, my view is we don’t need
more technology out there scattered around the network. What we need right now
are the analytics to leverage the data that
we already have available to us. And then once we hit a gap,
we’ll deal with it, but let’s use the data we have,
build the analytics, and there’s a hell of a lot
we can do to get in front of
insider threat right now with the capabilities
already on the ground, okay? I don’t know how
I left this off the list, but another analytic thread
is cross domain, and we have those analytics
already in place, again, to get after–
call it insider threat or just protection of
classified information, which is sort of the title
I prefer to use. But even the rest of the world
likes insider threat, so on my charts I use their
words,
not mine. But, you know,
how do we protect the confidentiality
of our classified information? We’ve got some great cross
domain capabilities, as well. Does that cover it? Great. Any other questions? – Sir, we’ve got one more. It’s being written right now. – It’s being written? Pause. We’ve got one over here
that’s already written. [LAUGHTER] Oh, you’ve got
to write it first– sorry. – Sir, you talked
about commercial cloud connecting to the Joint
Regional Security Stack. Can you talk about how you’re
working with the services to identify Canada applications
for sensitive but unclassified to leverage that commercial
cloud capability? – Yeah. So, it’s an ongoing process. Mr. Halverson
is personally interested in driving that effort. We’ve, in partnership
with the services, we have five candidates already
identified for pilot activity that is working over
the next several weeks. Only one of those
is a DISA system. The other four
came from the services– I guess one from an agency.
Is that right, Pete? Anyway, non-DISA, spread across
not a single service, but we’ve got that working. What Mr. Halverson
tasked us to do, as a result of some not
necessarily positive feedback, but constructive feedback
on the cloud security model was to update that in a way that industry
can understand better what they need to do and also
make it easier, by the way, and then
make it easier to understand on the government side how to
understand what cloud service options
are appropriate for the various missions,
system requirements, et cetera. Like I told somebody
a few minutes ago, for people like me that are
in the security business, the thing is perfectly easy
to understand, okay? I read it. It’s all the terms
that I live with every day, but people that live out there
in the real word had a little bit of trouble
understanding exactly what we were
trying to say. So, we’ll try to do it in the
English language translation. We brought in
some English experts to figure out how to translate
from our words to theirs, and part of what
we’re doing now is to come up with a better message
to communicate, so that system owners
across the Department would know how to leverage
commercial cloud, where that’s appropriate, what the risk acceptance
decisions are, and then also better
articulate to industry what they need to do. Did that cover your question? The five pilots
will help us a lot in answering a number of
different questions. Okay–
that being one of them. – Sir, we’ve got
about two minutes. You have time for one more. As DISA and the services
issue JIE contracts, is DISA coordinating with
their IC program partners? It seems that JIE and ISITE have multiple layers
of comparable requirements. Is DISA and IC coordinating to
leverage progress of the other? – Yeah, so… under the broad banner
of JIE contracts, I think other people
have answered the question about is JIE a program,
and what are JIE contracts? So, I won’t try
to rehash that ground. In terms of the single
security architecture and cyber capabilities subset of what contracts
are underway to provide capabilities
under the JIE framework– did I get the right–
yeah, we are
absolutely partnered with the intelligence community. For example, you look
in that analytic cloud, that big data platform,
that set of open source, primarily
open source technology, is inherited from
the intelligence community. We had to add to it
a little bit for some things
that we couldn’t replicate at the secret
and unclassified level, but the foundation is
what we inherited and adopted from the intelligence community. Work across
the security architecture, they use HBSS because
they got it from us, and they’re leveraging
the technology that we provided. There are some areas where we’re evaluating
and comparing notes and then making
conscious decisions that we have a reason to do
something slightly differently, but we are, I think,
consistently working together, and sharing our notes, and coming up with common
approaches whenever possible. Their commercial cloud strategy,
the CIA effort in particular, where they brought the
on premise commercial cloud is absolutely one
that we are working with and trying to learn from,
so that we leverage and build off
of their experience, not start over
from scratch, okay? I’m out of time?
Out of time, okay. You guys got off easy. Even my best effort to try to set them up
for hard questions failed.


Leave a Reply

Your email address will not be published. Required fields are marked *