WASHINGTON — The U.S. Defense Department’s IT shop wants to bolster the cybersecurity of its remote collaboration platform it rolled out in response to the coronavirus pandemic.
Speaking to reporters Thursday, Pentagon Chief Information Officer Dana Deasy said the department is considering adding additional layers of cybersecurity to its Commercial Virtual Remote Environment to allow for “much more secure types of collaboration.”
The CVR platform — essentially a Microsoft Teams platform that allows for Department of Defense employees to collaborate remotely — has about 1 million users and is certified at “Impact Level-Two,” which allows users to work on noncritical mission information from home.
Deasy said the department is discussing how to pivot the CVR Environment to “Impact Level-Five,” which allows for work on mission-critical information.
“There’s a lot of pilots going on right now on how we pivot CVR from kind of an IL-2 world to an IL-5 world between now and, I’m going to say, towards the end of this year,” Deasy told reporters. “And so if you were to ask me, ‘What is the big heavy lifting we’re working on right now,’ it’s how do we actually do that pivot from an IL-2 to an IL-5 world?”
The DoD CIO shop began rolling out CVR in late March with a speed Deasy at the time characterized as “extraordinary,” at one point adding 250,000 new accounts in a day. The rapid shift and implementation of telework infrastructure was facilitated in part by $300 million the department received for IT as part of a coronavirus relief package passed by Congress.
Deasy added that the recent funding boost has “adequately allowed us to build out the necessary teleworking environment.” When planning the creation of the CVR environment, Deasy said IT leadership consider it a success if 100,000 DoD users are using CVR. But when asking Congress for more money to accommodate telework, he said the department had to think into the future.
“But then we stopped and said: ‘Well, what if this thing was to grow to be a lot bigger? Do we have the right funds to support a much larger, robust commercial solution?,’ ” Deasy said. “It’s not only about the right money for the infrastructure and the licenses, but to maintain a CVR environment, for collaboration for chat rooms, for teams being stood up. There’s a whole background infrastructure support that has to be stood up in that environment as well.”
Preparing for telework has been a massive undertaking for the department and its components. In recent months, the U.S. Army expanded its network capacity by 400 percent; the Air Force increased its virtual private network infrastructure from 10,000 users to 400,000 users; and the Navy increased remote network access for up to 500,000 users.
The DoD had to expand its network capacity and hand out new devices to employees, among other steps to ensure effective and secure telework. Last week, Deasy’s deputy, Peter Ranks, said the department was having ongoing discussions about what telework policies would stay in place after the pandemic — something Deasy reiterated on Thursday.
“There is an active conversation about what does a sustained teleworking environment look like. We’ve now built this amazing, robust infrastructure,” Deasy said. “And so there’s no doubt that we will be leverage that in the event that the future requires us to.
“The conversation I find myself more involved with is how it’s changing our way to bring people together quickly for meetings, readiness conversations, training exercises.”
He added that he sends a weekly email to Defense Secretary Mark Esper about what his office learned about the CVR and telework environment over the previous week.
Throughout the ongoing pandemic, officials across the services and components have continuously stated that IT projects that typically take years have been cut down to days or weeks. For example, Army CIO/G-6 Lt. Gen. Bruce Crawford said in June that the Amy was rolling out a platform for remote access to classified information for 2,000 users.
Remote access to classified information is a complex issue, with Ranks and the acting CIO of the intelligence community saying on a webinar last week that any remote classified access must be extremely targeted and dependent on an employee’s role.
Telework has also introduced new cybersecurity risks for the Pentagon. Deasy said that dealing with the work-from-home situation “accelerated the work” between information security officials at the National Security Agency, Cyber Command and the Defense Information Systems Agency. At one point, Deasy was having daily meetings about telework security with a task force made up of officials from CYBERCOM, the NSA, DISA, Joint Force Headquarters DoD-Information Network and the Joint Chiefs of Staff.
“I can say with a lot of confidence that the work that we’ve all collectively have done, along with our industry partners, in this space is just revalidating for us that we can live in a cloud world successfully, even though we know that the adversary is going to continue to work very hard to compromise us,” Deasy said.
Andrew Eversden covers all things defense technology for C4ISRNET. He previously reported on federal IT and cybersecurity for Federal Times and Fifth Domain, and worked as a congressional reporting fellow for the Texas Tribune. He was also a Washington intern for the Durango Herald. Andrew is a graduate of American University.