The Defense Information Systems Agency (DISA) will rely heavily on DevSecOps to drive implementation of the Defense Department’s Joint All-Domain Command and Control (JADC2) initiative by rapidly delivering new capabilities and tools at mission speed, then adjusting, iterating and scaling those capabilities across DOD components and military service branches.
At the AFCEA TechNet Cyber 2022 conference in Baltimore this week, DISA and military service branch leaders said the heart of JADC2 is the ability to share actionable data across services and components quickly and securely to drive faster, more precise decision-making in theater.
Col. Kevin Finch, DISA’s JADC2 lead, said during a panel, “I can’t tell you how many times I’ve had conversations about JADC2 and ultimately the discussion becomes, how do you get information from point A to point B?”
DISA Director Lt. Gen. Robert Skinner said he envisions DISA’s contributions to JADC2 as a mix of legacy systems and new technologies organized within a DevSecOps environment, which he said will be a challenge industry can help address.
“How do we truly bring DevSecOps to the legacy environment? That’s hard,” he said during the Tuesday morning keynote. “We could use [industry’s] help there. Running the cloud is easy if you have a modern application. We have thousands, if not tens of thousands, of applications that aren’t modern, and that’s the bulk of the issue in my mind when it comes to leveraging cloud applications.”
DISA Acting CDO Caroline Kuharske echoed Skinner’s vision regarding the harmonization of legacy and modern technologies to serve JADC2 during a Tuesday panel at TechNet Cyber.
“Our legacy environment tools have to evolve, and that’s what we’re here to do with JADC2, take what we’re doing now and get to that data exploitation,” she said. “I don’t see the legacy things going away, just getting bigger and better.”
DOD believes a DevSecOps approach can bridge the gap between legacy tools and more modern cloud applications.
“The idea of JADC2 normalizing massive amounts of data from all different platforms is what’s going to really push this effort over the edge and make it a success,” Kuharske said. “It’s really going to revolutionize how we’re exploiting data and evolving our data hygiene across the department. The streamline of that valuable data is really the focal point.”
Danielle Metz, deputy CIO for information enterprise at DISA, said the DISA CIO is “accelerating DevSecOps throughout the department” because it is a “core component” of DOD’s new software modernization strategy.
“This extraordinary undertaking is to transform the department’s software delivery process. Software and the department’s ability to rapidly deliver resilient software-based innovations are increasingly critical component of mission successes and a key driver of military advantage,” Metz said during the Wednesday morning keynote. “IT is an enabler for every mission in the department. We must be able to transform data into actionable information, even in the face of persistent cyber threats.”
DOD’s rollout of Microsoft Teams in response to mass telework at the beginning of the COVID-19 pandemic is an example of DevSecOps success, Metz said.
“Teams used industry best practices, like Agile processes, to enable the quicker production of MVPs (minimum viable products) and iterative rollout in increments,” she said.
The department wants to capitalize on this success to enhance JADC2 implementation.
DevSecOps will also inform one of DISA’s “premier” command-and-control (C2) contributions to JADC2: the electromagnetic battle management (EMBM) system via electromagnetic spectrum (EMS).
“[The EMBM] is the DOD’s flagship because it ensures our combatant commanders have the capability to enhance ops within an electromagnetic environment,” said Col. Andre Johnson, director of DISA’s Joint Spectrum Center. “It’s going to enable JADC2 overall.”
Johnson said the EMBM includes four capabilities: situational awareness, decision support, C2 and training support.
Christopher Argo, director of the DOD's Defense Spectrum Organization (DSO), said the EMBM’s current goal is to achieve initial operating capability in September 2022 and final operating capability in 2024.
Aside from the EMBM’s capabilities, securing EMS will be foundational to JADC2 because it allows to “target, track, communicate, sense, assess, share” information, said Air Force Brig. Gen. Darrin Leleux, who leads the Electromagnetic Spectrum Operations Cross Functional Team.
“If we lose the war in the EMS, we lose the war in the air — and quickly,” he said during a Tuesday panel. “Targeting, tracking, communicating, data links, sharing, assessing, all those use the EMS. It’s really critical to ensure our warfighters can use the EMS for the purposes that I just described when they need to then to deny that to our adversaries when we need to. In near peer competition it can be denied to us, and our systems really rely on it.”
“When you look at DISA’s role in JADC2, every single use case when you imagine getting sensor data to a decision-maker involves spectrum,” Hermann said during the Tuesday panel. “Sometimes it’s the tactical piece, and sometimes it’s long haul communications that relies on that as well.”
Given the importance of the EMBM and EMS to JADC2, “baking in” security at the beginning of the developmental process is an imperative because it’s impossible to tack on at the end of the process.
“Why DevSecOps? My mission is to empower DOD to solve tomorrow’s spectrum challenges today,” Argo said. “The big focus for me right now, top priority, is developing EMBM … for combatant and [other] commanders to make swift decisions that they can fight through the electromagnetic spectrum without interference and any problems getting on target. The EMBM is to facilitate operations more than anything else and cuts across all the domains.”
During a TechNet Cyber media roundtable Wednesday, DISA Digital Capabilities and Security Center Director Jason Martin said DISA is “working directly with the DOD CIO” to ensure security is baked into EMBM via the DevSecOps process.
“As we use an Agile software framework for building out the capability, we’re going through various components of the acquisition framework and testing early and failing and failing quickly and moving forward,” Martin said during the media roundtable. “Higher-level paths like capabilities to make sure we do bake in compliance from the onset. It’s all done in conjunction with our cyber experts.”
Skinner said DISA is also working closely with industry vendors to ensure the EMS is protected and security is baked into EMBM.
“You cannot have JADC2 if you do not have protected EMS,” Skinner said. “While the system is great to understand the battlespace, it’s also how is industry baking in security with all those platforms and endpoints and user devices that are leveraging different pieces of the spectrum? That to me is just as important, if not more important. How do we make sure that security is baked in so that way as we’re using the capabilities that are cybersecure already and makes it less hard to keep it hardened because it’s already baked in?”
The DOD CIO is responsible for the EMS strategy as of August 2021, revealing DevSecOps as a common theme among DOD OCIO approaches to IT modernization to get ready for JADC2.
“Like anything else, how are we baking in continuous monitoring, regular compliance to have the exact posture at a given time?” Martin said during the media roundtable. “I do think it is important to note that this [DevSecOps approach] will be one of the foundational components [of DOD IT modernization efforts].”