Pentagon CIOs struggle with legacy tech, security. Sounds familiar?

Defense Department tech chiefs working to modernize sprawling IT infrastructure encounter similar hurdles — if on a larger scale — as CIOs in other agencies and the private sector.

Kenneth Corbin Sep 24th 2018

Patrick Flanders has been thinking a lot about IT modernization.

Flanders, CIO of the Defense Health Agency, is gearing up to consolidate control over the Pentagon's sprawling network of treatment centers, in the process centralizing a far-flung set of IT operations that raise a host of security and device-management considerations.

"As we grow and take over management and administration of these networks and these facilities, cyber really is at the top of my list for priorities," Flanders said during a recent panel discussion hosted by Federal News Radio.

DHA is set to begin taking control over the nearly 700 Military Treatment Facilities through a multi-phase process starting on Oct. 1. That means that Flanders and his team will soon have the same headaches familiar to any CIO who has tried to establish a management regime over a hodgepodge of devices.

"Our other problem is we have hyper variance in medical devices across all these treatment facilities that heretofore bought their own things," Flanders says.

DHA's solution is to set up what Flanders calls a "medical logistics material management center" in a bid "to try to create a catalog to help standardize those procurements."

Reshaping federal IT

Many of the challenges facing Flanders and his team are unique to the health care mission of DHA (transitioning to a uniform electronic health record, etc.), but in some measure they also run parallel to the larger IT transformation underway at the Pentagon and, indeed, the rest of the federal government.

The Defense Department, far and away the largest consumer of technology in the U.S. government, exerts an outsized influence on the trends reshaping federal IT.

"The Department of Defense is a massive place," says David Wennergren, managing director at Deloitte Consulting, and the former deputy CIO at the Defense Department. "It's a complex environment, but that said, there is lots of IT that operates inside the Department of Defense that looks just like IT in the private sector, too."

The Defense Department, like other federal agencies, is working under a directive from the Trump Administration to strengthen its IT posture through what the White House is calling the President's Management Agenda. That initiative, in addition to calling for more efficient and secure IT systems throughout the federal bureaucracy, is directing agencies to realign their hiring processes to bring on personnel with the most relevant skillsets, and is calling for more open and transparent data to hold the agencies accountable for delivering on their business objectives.

The administration followed up on the PMA program in May of this year, when Trump issued an executive order aimed at strengthening the role of the agency CIO, vesting the information chiefs with review authorities for IT projects and more direct oversight of their organizations' hiring processes.

At the Defense Department, which carries an annual IT budget of around $45 billion, Wennergren says that IT modernization and cybersecurity stand as the "twin pillars of getting IT right."

Getting IT right

"Modernization" may be the watch word, but so large an enterprise, and one that is still so rooted in legacy systems, is not a quick ship to turn, Wennergren notes. The continued reliance on aging technology is another symptom of the Pentagon's condition that will likely resonate with CIOs of smaller shops.

"DoD, like many other federal agencies and some private sector firms, is still spending the preponderance of its money on maintaining an aging set of legacy infrastructure systems — 80 percent or more — and that is not a recipe for success in the long term," Wennergren says. "These thousands of legacy systems are eating our lunch in terms of money, and we need to look at them and decide what do we want to retire, what do we want to replace, and what might we want to refresh."

"You're falling behind," he adds. "Not only does it cost too much to maintain that old stuff, but it also makes it harder to implement new technologies and it creates huge sets of cyber vulnerabilities. So there is a push across DoD to address this IT modernization issue."

Increasingly, those efforts come with the acknowledgement that agencies don't need to reinvent the wheel with each new IT initiative. The government has a decidedly mixed track record with customized, home-brew IT projects. Reforms to the federal procurement process, combined with a surging number of vendors offering ready-made cloud, networking and other systems, have compelled many federal CIOs to lean more heavily on the private sector for their IT, provided that those firms can offer adequate security assurances.

"The bottom line is we need to understand how industry leverages the data, because we've learned we don't need to own all of the infrastructure," says Rear Adm. David Dermanelian, assistant commandant for the U.S. Coast Guard's Command, Control, Communications, Computers and Information Technology unit, or C4IT. "And so how does industry protect the data to the level that [it] needs to be protected?"

From the private sector side of the equation, vendors are increasingly tailoring contracts to meet an agency's needs for a specific project, and both sides have been relaxing the terms of those agreements to allow for iterative development and avoid making a binding, long-term commitment to any one technology or architecture that may soon become outmoded.

"It's not about building something that's static, that's going to be around for eight or 10 years," says David Young, senior vice president of strategic government at CenturyLink. "It's really building something that enables growth — the unforeseen growth."

In CenturyLink's business, for instance, permission-based networking has taken over for the older, conventional design in which the ability to get on the network typically meant broad access to its contents.

"There's a host of technology things that we can bring to the enterprise and to the government that we see over on the commercial side of the business that's about incorporating those changes more frequently," Young says. The new model of flexible contracts, then, look to pave the way for agencies "easily changing into this lifestyle of continuous modernization."