Editor's Note: This article was originally published on May 13, 2014.

As the chief information assurance executive at the Defense Information Systems Agency, Mark Orndorff is working on some of the Defense Department's highest profile efforts in cybersecurity, mobility, cloud computing and technology in the military writ large. They represent a wide range of DISA's reach, but they're all linked — and Orndorff is passionate about all areas. He recently sat down with C4ISR & Networks Senior Writer Amber Corrin to talk about some of the agency's top priorities, and how DISA is working to push DoD into the future.

C4ISRNET: What's the latest in cybersecurity in DISA?

Mark Orndorff: The buzzword is building a defensible architecture. And providing that with the concepts of the Joint Information Environment. Core data centers, good capabilities for the operations centers to operate and defend the core infrastructure ... we're continuing to evolve those key components and improve how we operate and leverage technology that we've already put out there to make it more of that defensible architecture.

Over and above that, the biggest thing we're doing right now is the joint regional security stack. At the simplest level you can say that's just a different way of doing the same old thing: taking firewalls at the services, agencies and combatant commands, all centrally trying to implement what's scattered around the DoD network. On the surface it may look like it's just a technology refresh of some of the things we've been doing over the years, but in that tech refresh we've come up with a much more robust design that gives us a suite of capabilities that we've never had before. So we're getting a consistent level of security, and then we're doing it in a way that we can globally manage so that we can have much more rapid ability to insert countermeasures and have widespread or global improvements.

C4ISRNET: What is influencing cybersecurity the most at DISA right now, in your view?

Orndorff: The two main things going on that are influencing cybersecurity, that are essentially challenging the cybersecurity security within DISA, are the efforts in cloud and mobility. Both of those have the potential to either degrade our security posture or improve our security posture. We can shape that and direct that whichever way we choose. So we're choosing to use those as opportunities to improve our security.

What we did was try to put together a cloud security model that lays out the right level of security for a bunch of different information-processing or requirements, based on the sensitivity of the information, the criticality of the information and so on. We're trying to figure how best to leverage the various options for cloud solutions so that we're spending the right amount of money for the right amount of security for the right requirements. What that has defined for us is a set of work that we can put out into the commercial cloud, a set of work that will fall into a DoD private cloud that's connected to the DoD backbone network, and then a set of work that would go into the DoD-controlled, operated and defended portion of the cloud architecture. Our goal is to get to a point where we're spending less on the things we care least about, and focusing our investments and our security architecture on the things that are most important to us.

Mobility is a similar type of situation. We've partnered with industry, and we're working to make sure that mobile devices are delivered with the DoD security requirements in line up front, and building out our defense and architectures so that we can bring the mobile platforms right into the DoD networks and have full functionality leveraging the latest and greatest from industry. And we can do it in a way that will actually improve our security over what we have today with the typical notebook computers or PC platforms.

We have a ways to go and we have challenges ahead of us, but I see cloud and mobility as two big efforts as far as new technology that's going to be key to our cybersecurity focus going forward.

C4ISRNET: Speaking of new technologies, how do you get over DoD's infamously long acquisition cycles so you can capitalize on the cutting edge?

Orndorff: It's definitely a challenging area, and it's one we're struggling with constantly: to get the right balance between agility and the ability to adopt the latest technology, but still live within the acquisition laws and rules. I'd say last year was a good example where we had an opportunity to deploy the regional security stack in partnership with the Army and Air Force. There were some pretty innovative, creative techniques so that we were able to, in about three months' time, get a robust and wide-ranging set of capabilities purchased in a quantity to support all the continental U.S., part of Europe and all of southwest Asia. So that to me was a huge success story.

Of course we have other situations ... where we get stuck in an acquisition process of 18 months or two years to get a capability. At this point we're basically taking the ones that are too slow, that take too long and walking it back to see what drove that timeline and what we can do to do better next time. And when we have successes like with the joint regional stacks, we try to build on that as we go forward.

Part of our strategy is to make sure that whenever we're using commodity capabilities that we make the acquisition process as simple as possible, and then when we're into the leading-edge, latest innovative technologies, that's where we spend a little more time doing more lab work, more piloting. That'll take us a little longer to adopt.

C4ISRNET: To combine the themes of cyber, technology and network operations, there's one key part you've said you can't leave out, and that's the workforce. What are you working on in that regard?

Orndorff: DISA has a partnership with the services; we're building out a workforce program that's tightly coupled to the rollout of the joint regional security stack. In fact, that's the critical path for the joint regional security stacks — the training and the support for the workforce. Buying, testing, implementing, installing … all of these are technology-related tasks and are easy and fast in comparison with the work we're doing on the workforce to make sure that we have people trained and certified and ready to protect, operate and defend the space that we're building.

One of the key things we've done in support of that is we've built out a cyber range with the security architecture I've described so that we'll have the workforce go through a training program. Part of that will be operating on the range with simulated attack scenarios to validate that the workforce is trained to the point where they can effectively use the capabilities to identify and respond to the different attack scenarios that we expect them to be ready to operate against.

So the workforce is inserted into the overall strategy — getting the workforce right is more important than getting the technology right. We're definitely making that a key focus of our efforts.

We're all part of the cyber workforce. So coming up with an appropriate level of training and reinforcement of what it means to each of us to be a member of the cyber workforce is also part of that initiative. We're going away from some of the older approaches where you have annual training and check-the-box, compliance-based efforts, and more toward activities built into the day-to-day routine to keep it on the forefront of everybody's thought processes.

Share:
More In PM View