Five years ago, about the biggest thing the Navy had achieved from its cautious experimentation with commercial cloud computing was the hosting of public-facing websites with relatively low cybersecurity demands.
Fast forward to 2021, and the Navy has now conducted the biggest cloud migration of any enterprise resource planning system in the world, built its first new system in a cloud-native fashion using a modern DevSecOps pipeline, and significantly restructured its networks to accommodate a workforce that will largely be consuming IT services from commercial clouds instead of servers inside the Navy’s network boundary.
Those steps are not unrelated. In order to manage the transition of Navy ERP — the Navy’s biggest business system — from Navy data centers to Amazon Web Services, the Navy had to change its network architecture from one that was “cloud intolerant” to one that was at least reasonably capable of consuming commercial cloud services.
“Our enterprise network was organized to be an intranet. We were using late-90s technology to consume services within the Navy, and we weren’t ready for a shift to the cloud,” Andrew Tash, the technical director for the Navy’s Program Executive Office for Digital and Enterprise Services (PEO Digital) said during a keynote discussion for Federal News Network’s DoD Cloud Exchange. “We’ve had to rearchitect our network to be internet-based as opposed to intranet-based, and ERP was the driving factor behind that. We’ve done a lot to continue to expand our cloud connectivity at all of our major sites, which we have now achieved.”
COVID-19 was a major forcing function as well. Even though naval networks had become “cloud tolerant” a year ago, they still weren’t quite ready for the sudden and unexpected transition to telework via Commercial Virtual Remote (CVR), DoD’s quick-turn implementation of Microsoft Teams.
“We had laid the foundation of what it would look like to not rely on the DoD network, so we had a lot of that in place. When the pandemic hit us, the Navy was actually positioned very well to pivot and allow connectivity from off-prem, we were able to move some sites to be public facing and not require people to VPN into our network,” Tash said. “We had some VPN capacity issues that we overcame very rapidly, but we’re still trying to pivot away from the reliance on VPN and being on DoD networks.”
The Navy hopes to accomplish much of that pivot via an initiative called Operation Flank Speed, which aims to build on the successes of CVR by permanently moving its office productivity and collaboration tools into a commercial cloud environment. Moving at “flank speed” is important because there isn’t much time before CVR disappears and the Navy must move to a long-term implementation of Microsoft 365 services; CVR is scheduled to sunset in June.
Meanwhile, the Navy has been making significant changes in how it acquires, budgets for and plans software development in the cloud space.
In December, senior Navy Department officials signed a new cloud policy that centralizes the Navy’s cloud acquisitions within PEO Digital. That’s partly an effort to give the department more visibility over how it’s using cloud services, and partly to bring economies of scale to its purchases of cloud capacity from big service providers like AWS and Microsoft.
“When we did the data analytics on how we were buying commercial cloud, one of the big things we noticed was we had about 100 cloud contracts that were buying very similar things,” said Travis Methvin, who leads the Navy’s Commerical Cloud Services Program Management Office. “One big thing that Operation Flank Speed is doing is creating that naval environment that we’ll be able to use to track where Navy workloads go. [We want] something that’s already accredited, defended and has zero-trust principles to help get us to the cloud at scale.”
Toward that end, PEO Digital is also building new mechanisms that will let the Navy tie services together in a multi-cloud environment. When various Navy customers have a need for cloud services, they’ll be expected to log into a new storefront: cloud.navy.mil, select the services they need, and have them quickly provisioned — mostly via automated scripts.
“Over the next four-to-six months, you’re going to start to see the ability to use API-driven self-service deployments for things like infrastructure-as-code for our agreements with Azure, you’ll start to see software-as-a-service with our partnership with ServiceNow, and we’ll be looking at other opportunities for industry partnerships that allow mission owners to start to work a little bit more efficiently,” he said.” What used to take nine to 12 months for individual applications, we’re really trying to reduce the barrier and get it into a week’s time.”
Also recently, the Navy Department made its first major foray into developing major software projects with modern, cloud-native methodologies.
The Research and Development Acquisition Information System (RDAIS) was due for a technology refresh. But instead of lifting and shifting the earlier version system into the cloud with only some incremental upgrades, the department decided to use it as a test case for building and funding software with DevSecOps principles.
RDAIS – which mainly supports the planning and budgeting communities within the department’s acquisition enterprise – was a perfect test case for modernizing the Navy’s development approach, partly because Navy acquisition leaders were already fully behind the concept of DevSecOps, said Kevin Allen, the program manager for enterprise systems and services in the Navy’s Program Executive Office for Manpower, Logistics and Business Solutions.
“The current version was old and had a lot of security vulnerability issues, so we got involved and turned to an existing continuous integration and continuous development pipeline that the Marine Corps had stood up and accredited called MCBOSS,” Allen said. “And it’s been a huge enabler for us in getting at speed of delivery. Our accreditation time was significantly truncated, because we were able to inherit hundreds of controls that that were already accredited as part of the pipeline. Then, for our application, we focused on just 30-ish controls that were specific to our application. So almost all of our effort and the dollars we’re putting into this is going to functionality, and not to building the underlying infrastructure to support the application.”
And to make sure programs like RDAIS aren’t a one-off, and that it can continue to deliver new software capabilities with a modern service delivery model, the Navy is rethinking how it structures and staffs its program management offices. One overarching goal, officials said, is to approach software acquisition as portfolios of smaller projects rather than the big-bang deliverables historically associated with the DoD acquisition system.
“I think the big thing is creating a culture of visibility and changing the mindset of how we execute our programs. We’re forcing people into some uncomfortable situations because we’re not producing PowerPoints for weekly reporting, we’re really driving to executive dashboards of what the status of funding is, what the project status is,” Methvin said. “I have three scrum masters on my staff now, and it’s forcing our services integrators, our professional service support organizations, to rethink how we’re staffing program offices to get to a modern service delivery model.”