I n t e g r i t y - S e r v i c e - E x c e l l e n c e
Headquarters U.S. Air Force
1
Emerging Best Practice in IT Architecture & Acquisitions
Dr. T. RudolphCTO, Electronic Systems Center
Hanscom AFB, MA12 November 2009
I n t e g r i t y - S e r v i c e - E x c e l l e n c e
(Irregular Warfare, Stabilization, Homeland Defense, Emergency Response, Disaster Recovery, Humanitarian Relief)
A Changing World
2
I n t e g r i t y - S e r v i c e - E x c e l l e n c e
Financial MeltdownHealthcare
Crisis
…And It’s NOT Just Our Security Environment
3
I n t e g r i t y - S e r v i c e - E x c e l l e n c e
U - I
V - D
A - S
G - P
Visibility and Discoverability
Understandability and Interoperability
Accessibility and Security
Governance and Policy
The “DNA” of Information
4
I n t e g r i t y - S e r v i c e - E x c e l l e n c e
Changing Operational Landscape
CYBERSPACE
SPACE
AIRBORNE
TERRESTRIALFAB-T
FAB-T
DSCS
DSCS
Space Radar
TACP- M
Airborne Network
SIAP
SIAP
TDL-LINK 16
TDL-LINK 16
JPALS
JPALS
ROBE
JTEP
GATM (CNS/ATM)
JTRS
JTRSMEECN
TERRESTRIAL
AIRBORNE
SPACE
5
I n t e g r i t y - S e r v i c e - E x c e l l e n c e 6
Changing Technology Landscape
Net-Centricity Information Transparency SOA Standardization Semantic Technologies Interoperability Cloud Computing Information Security IPv6
Opportunities to use Commercial Innovation and Leverage Commodity IT
I n t e g r i t y - S e r v i c e - E x c e l l e n c e7
What SOA isn’t
A specific architecture A product An Enterprise Service Bus or many ESBs
Not necessarily required A destination A way of life (at least an interesting way of life) A guarantee of success … alive?
SOA is Dead; Long Live Services, Anne Thomas Manes, 1 Jan 09
Governance … but Enterprise Governance is required
7
I n t e g r i t y - S e r v i c e - E x c e l l e n c e
History ofInformation Transparency
1975 20101985 1995 2005usenet Yahoo! Google WikiExciteWWW
social networkingtopical organization
publishing,co-citation
languagestatistics
browsingproducers
co-citationrelevance
authoritative
salon, 1664bibliography, c. 500
concordance, 1250
yellow pages, 1883
encyclopaedia, 77
patent, 1464
Disconnectedcontent
producers
Disconnectedcontent
Volume ofcontent
Volume ofcontent
producers
Volume ofco-citations
Quality ofcontent
producers
SemanticWeb
controlledvocabulary
taxonomy, 340 BCE
8
I n t e g r i t y - S e r v i c e - E x c e l l e n c e
Business Transformation with SOA
1997 2000 2001 2002 2003 2004 2005 2006 2007 2008
Slash network monitoring costs
Transform web search
Transform music distribution
Customer in-transit visibility
Total account management
New media model
Office SW on browser
DeploymentReadiness
DIMHRSRisk Mitigation
9
I n t e g r i t y - S e r v i c e - E x c e l l e n c e 10
Changing Business Landscape
Content Generation Data Strategy Content Provisioning Business Process Modeling Enterprise Architecture Securing the Network Securing the Content
Required for Enterprise Security and Governance
I n t e g r i t y - S e r v i c e - E x c e l l e n c e
Vision: Transformed Acquisition Process
More agile/focused mission services Evolution to more common IT framework Hosting consolidation Shared resources/services - right sized to
meet ops tempo Enterprise Security
Changing acquisition to better leverage services, share infrastructure, and interoperate through federation
Program A Program B Program N
. . .
. . .
. . .
Vertically resourced Programs Mission applications
tightly coupled to infrastructures
delivering capability agility
Common IT Framework
11
I n t e g r i t y - S e r v i c e - E x c e l l e n c e
Changing Acquisition Landscape
Away from SystemsAway from Point-to-PointAway from Brittle/
Fortress-type Security
Away from Code reuse
Away from revolutionary large-scale systems development
Towards CapabilitiesTowards Data SharingTowards End-to-End
Enterprise Level Security
Towards Shared Services and Infrastructure
Towards iterative/rapid evolution of components
12
More Granularity and Flexible Contract Vehicles
I n t e g r i t y - S e r v i c e - E x c e l l e n c e
Effective C&A
Establish ESC leadership/responsibility for local certification of PEO programs (including reference architecture, inheritance, type C&A constructs) supports a more timely and effective C&A
Current State: C&A timelines are expressed in months or years after completion
of development Incentivizes users to circumvent controls, creating additional risk
Future state: Establish ESC/EN to achieve networthiness (applications,
products, services) Enterprise Architecture-based Mission assurance based on real risks and salient impacts
Inherited C&A with confidence with reciprocity to Joint & other services
13
I n t e g r i t y - S e r v i c e - E x c e l l e n c e
ESC Networthiness
Assigned roles/authorities--single engineering process owner Deep functional area expertise--increase security engineering
skills Defined and well-known standard process--ESC O-SEP and
process standard Provide training/certification of others--core to engineering
training Mobilize/surge when needed--focused IA teams at Gunter,
WPAFB, and Hanscom Audit and report results of process
14
I n t e g r i t y - S e r v i c e - E x c e l l e n c e
More Capabilities to the Warfighter“Build in” Certification
Current State: C&A Timelines Are Expressed In Months After Completion Of
Development Incentivizes Users To Circumvent Controls, Creating Additional
Risk
Future State: Establish ESC/EN To Achieve Networthiness (Applications,
Products, Services) Enterprise Architecture-based Mission Assurance Based On Real Risks And Salient Impacts
Inherited C&A With Confidence With Reciprocity To Joint & Other Services
Transition Focus From Speed Of Acquisition To Speed Of Moving Capability To The Field
15
I n t e g r i t y - S e r v i c e - E x c e l l e n c e
Services Lifecycle
16
I n t e g r i t y - S e r v i c e - E x c e l l e n c e
Strategic Investment
Invest now into Governance – Pay me now or pay me later Strong Governance Strategies ensure
tiered accountability Ensures efforts do not work in a vacuum Facilitates realization and separation
between infrastructure and Core Capabilities
Continue consolidation efforts Leverage lessons learned from others
17
Institute and Reinforce the Culture Shift
I n t e g r i t y - S e r v i c e - E x c e l l e n c e
Governance Structures
OverallIT Governance
Implementation
Contract Mechanics andProgram Execution
Level of Governance
Senior Steering Group(CIO/CMO/SAE/PEO)
Enterprise Analysis& CM
Solutions Governance(Engineering Oversight)
ESC CCB / Engineering Sufficiency Reviews
Program
s
NETCENTS-2 Program Office
Policies & Regs
Capability Prioritization
Capability Engineering
User’s Guide,Templates, and Due
Diligence CL (PO)
External to ESC
Internal to ESC
Complianceand
Technical Rigor
18
I n t e g r i t y - S e r v i c e - E x c e l l e n c e
Elements of the ESC Governance Model
19
Engineering Baseline:Technical Guidance
IT Governance
Strategic IT Direction
AF Enterprise Architecture
Engineering Baseline:Asset Inventory
Programs of Record (PoR)
SSG
Strategic
Operational
TacticalIT-LC
CCB
PMO
TWG
I n t e g r i t y - S e r v i c e - E x c e l l e n c e
Solutions – Engineering Baseline
20
Engineering Baseline = Guidance + KnowledgeAnswers 4 questions: What am I acquiring? Should I use existing infrastructure? Am I building new products right? Am I building anything that could be used by others?
Changes in:- Policy
- Technology- Standards
ASSETSASSETS
Technical Guidance
Asset Inventory
ESC Engineering Baseline
Programs of Record
ConfigurationControl Board
ASSETS To theField
Info Gathering
Produce
InventoryUpdate
Update Inventory
Change Guidance
Direction
Re-use
Change Request
Qualifies
Organizing Enterprise Framework for Capability Delivery
I n t e g r i t y - S e r v i c e - E x c e l l e n c e
Capability Delivery
Engineering Baseline to provide guidance and share knowledge between programs
Governance and Data Strategy supports interoperability and information sharing
Certification & Accreditation refocused on Mission Assurance
Capabilities to the warfighter, rapidly
21
Development
Certification & Accreditation
Rapid Capability
Guidance
Knowledge
Convergence support Agile Capability Delivery
I n t e g r i t y - S e r v i c e - E x c e l l e n c e
…because the adversary is here
Photo courtesy of Dr. Roger G. Miller, HAF/HO
And we have only seconds to defeat him…
Questions?
I n t e g r i t y - S e r v i c e - E x c e l l e n c e
BACK-UPS
23
I n t e g r i t y - S e r v i c e - E x c e l l e n c e
NDAAs NDAA 2008 Section 904
requires appointment of DoD Chief Management Officer and Deputy, as well as Services Chief Management Officers.
CMO duties: Ensure capability to carry out the strategic plan of the Department of Defense in support of national
security objectives Ensure the core business missions of the Department are optimally aligned to support the
Department’s warfighting mission Establish performance goals and measures for improving and evaluating overall economy, efficiency,
and effectiveness and monitor and measure the progress Develop and maintain a strategic plan for business reform
NDAA 2009 Section 908 Sets minimum objectives for Services CMO’s Mandates creation of an Director of Business Transformation (DBT) and Office of Business Transformation
(OBT) reporting directly to CMO Sets minimum scope for OBT – Budget, Finance, Accounting, Human resources – extensible by SECAF Provides DBT with authority over all elements of the military department to carry out transformation
initiative
NDAA 1999 Review budget requests for all IT and NSS systems; ensure that IT and NSS are in compliance with
standards of Government and DoD Ensure that IT and NSS are interoperable with other relevant IT and NSS Coordinate with the Joint Staff with respect of IT and NSS
24
I n t e g r i t y - S e r v i c e - E x c e l l e n c e
Elements of a Complete Governance Model
1. Governance Strategy, Scope and Goals2. Governance Stakeholder Model3. Governance Goals, Principles and Policies4. Policy Enforcement and Provisioning Model5. Governance Enforcement Mechanisms
a) Organizations and Boardsb) Governance Processes, Events and Triggersc) Governance Enabling Technology and Tools
6. Exception, Waiver, Escalation and Appeals Process 7. Governance Metrics and Behavioral Model8. Governance Communications Model9. Governance Feedback and Management Reviews10. Governance Performance Management and Sustainment
25
I n t e g r i t y - S e r v i c e - E x c e l l e n c e
Applied Governance
Budgeting,Ownership
& Funding Models
EnterpriseGovernance
Models
Organization&
ProcessesRoles, Skills &Assimilation
Behavior,Culture &Incentives
Metrics & Scorecards
Processes & Policies
People Tools & Technology
Governance required at difference levels Not just a committee, but a new way of life
Governance is Policies, Processes, Organizations, Tools that lead to the desired behavior
Need to proceed smartly and learn from the lessons of the past
Integration Culture Shift Stabilizing the patient through architecture and strong
governance will help secure the network while developing a strategic path forward and reducing overall lifecycle costs
26
I n t e g r i t y - S e r v i c e - E x c e l l e n c e27
Five Aspects to Air Force OTD
Open Architecture Air Force Enterprise Architecture
Open Standards ESC Engineering Baseline
Open Development Collaboration Automated Metadata Population Service
Open Source Forge.mil
Open Systems Office of Naval Research Navy Reference
Implementationhttp://nesipublic.spawar.navy.mil/nesix/View/P1307
(https://enweb.mitre.org/wiki/index.php/OTD)
27
I n t e g r i t y - S e r v i c e - E x c e l l e n c e
SAF/AQSAF/XC
ESC
AFSPCAFSO21
CMPPITP
Lead Commands
Three-Legged Stool of Capability Delivery
28
AFNetO
ps
Req
uire
men
ts
Rap
id D
evel
opm
ent
Streamlining IT
Enterprise Architecture Engineering Baseline
Capability
Process
Vocabulary
Service
28
I n t e g r i t y - S e r v i c e - E x c e l l e n c e
Assume Attacks Will Succeed and Limit the Value of Each Attack
• Assume compromise; rebuild routinely• Decouple external and internal networks
• Use Wisdom of the Crowds
Retake the Asymmetric Advantage By Constantly Changing the Attack Surface• Choose from a million random variations• Distribute servers, apps, data across VMs
• Add in out-of-band elements
Adaptive CONOPS to “Fight-Thru” Attacks• Instrument network for machine learning
• Composable security• Collocate Ops, Development, R&D
Repurpose Virtualization from Cost Efficiency to Mission Effectiveness
Infrastructure ConvergenceVirtualization for Mission Effectiveness
29