emerging best practice in it architecture & acquisitions

I n t e g r i t y - S e r v i c e - E x c e l l e n c e

Headquarters U.S. Air Force

1

Emerging Best Practice in IT Architecture & Acquisitions

Dr. T. RudolphCTO, Electronic Systems Center

Hanscom AFB, MA12 November 2009


(Irregular Warfare, Stabilization, Homeland Defense, Emergency Response, Disaster Recovery, Humanitarian Relief)

A Changing World

2


Financial MeltdownHealthcare

Crisis

…And It’s NOT Just Our Security Environment

3


U - I

V - D

A - S

G - P

Visibility and Discoverability

Understandability and Interoperability

Accessibility and Security

Governance and Policy

The “DNA” of Information

4


Changing Operational Landscape

CYBERSPACECYBERSPACE

SPACE

AIRBORNE

TERRESTRIAL

FAB-T

FAB-T

DSCS

DSCS

Space Radar

TACP- M

Airborne Network

SIAP

SIAP

TDL-LINK 16

TDL-LINK 16

JPALS

JPALS

ROBE

JTEP

GATM (CNS/ATM)

JTRS

JTRSMEECN

TERRESTRTERRESTRIALIAL

AIRBORNEAIRBORNE

SPACESPACE

5

I n t e g r i t y - S e r v i c e - E x c e l l e n c e 6

Changing Technology Landscape

Net-Centricity Information Transparency SOA Standardization Semantic Technologies Interoperability Cloud Computing Information Security IPv6

Opportunities to use Commercial Innovation and Leverage Commodity IT

I n t e g r i t y - S e r v i c e - E x c e l l e n c e7

What SOA isn’t

A specific architecture A product An Enterprise Service Bus or many ESBs

Not necessarily required

A destination A way of life (at least an interesting way of life) A guarantee of success … alive?

SOA is Dead; Long Live Services, Anne Thomas Manes, 1 Jan 09

Governance … but Enterprise Governance is required

7


History ofInformation Transparency

1975 20101985 1995 2005usenet Yahoo! Google WikiExciteWWW

social networkingtopical organization

publishing,co-citation

languagestatistics

browsingproducers

co-citationrelevance

authoritative

salon, 1664bibliography, c. 500

concordance, 1250

yellow pages, 1883

encyclopaedia, 77

patent, 1464

Disconnectedcontent

producers

Disconnectedcontent

Volume ofcontent

Volume ofcontent

producers

Volume ofco-citations

Quality ofcontent

producers

SemanticWeb

controlledvocabulary

taxonomy, 340 BCE

8


Business Transformation with SOA

1997 2000 2001 2002 2003 2004 2005 2006 2007 2008

Slash network monitoring costs

Transform web search

Transform music distribution

Customer in-transit visibility

Total account management

New media model

Office SW on browser

DeploymentReadiness

DIMHRSRisk Mitigation

9

I n t e g r i t y - S e r v i c e - E x c e l l e n c e 10

Changing Business Landscape

Content Generation

Data Strategy

Content Provisioning

Business Process Modeling

Enterprise Architecture

Securing the Network

Securing the Content

Required for Enterprise Security and Governance


Vision: Transformed Acquisition Process

More agile/focused mission services Evolution to more common IT framework Hosting consolidation Shared resources/services - right sized to

meet ops tempo Enterprise Security

Changing acquisition to better leverage services, share infrastructure, and interoperate through federation

Program A Program B Program N

. . .

. . .

. . .

Vertically resourced Programs Mission applications

tightly coupled to infrastructures

delivering capability agility

Common IT Framework

11


Changing Acquisition Landscape

Away from Systems

Away from Point-to-Point

Away from Brittle/ Fortress-type Security

Away from Code reuse

Away from revolutionary large-scale systems development

Towards Capabilities

Towards Data Sharing

Towards End-to-End Enterprise Level Security

Towards Shared Services and Infrastructure

Towards iterative/rapid evolution of components

12

More Granularity and Flexible Contract Vehicles


Effective C&A

Establish ESC leadership/responsibility for local certification of PEO programs (including reference architecture, inheritance, type C&A constructs) supports a more timely and effective C&A

Current State: C&A timelines are expressed in months or years after completion

of development Incentivizes users to circumvent controls, creating additional risk

Future state:

Establish ESC/EN to achieve networthiness (applications, products, services)

Enterprise Architecture-based Mission assurance based on real risks and salient impacts

Inherited C&A with confidence with reciprocity to Joint & other services

13


ESC Networthiness

Assigned roles/authorities--single engineering process owner

Deep functional area expertise--increase security engineering skills

Defined and well-known standard process--ESC O-SEP and process standard

Provide training/certification of others--core to engineering training

Mobilize/surge when needed--focused IA teams at Gunter, WPAFB, and Hanscom

Audit and report results of process

14


More Capabilities to the Warfighter“Build in” Certification

Current State: C&A Timelines Are Expressed In Months After Completion Of

Development Incentivizes Users To Circumvent Controls, Creating Additional

Risk

Future State: Establish ESC/EN To Achieve Networthiness (Applications,

Products, Services) Enterprise Architecture-based Mission Assurance Based On Real Risks And Salient Impacts

Inherited C&A With Confidence With Reciprocity To Joint & Other Services

Transition Focus From Speed Of Acquisition To Speed Of Moving Capability To The Field

15


Services Lifecycle

16


Strategic Investment

Invest now into Governance – Pay me now or pay me later Strong Governance Strategies ensure

tiered accountability Ensures efforts do not work in a vacuum Facilitates realization and separation

between infrastructure and Core Capabilities

Continue consolidation efforts Leverage lessons learned from others

17

Institute and Reinforce the Culture Shift


Governance Structures

OverallIT Governance

Implementation

Contract Mechanics andProgram Execution

Level of Governance

Senior Steering Group(CIO/CMO/SAE/PEO)

Enterprise Analysis& CM

Solutions Governance(Engineering Oversight)

ESC CCB / Engineering Sufficiency Reviews

Program

s

NETCENTS-2 Program Office

Policies & Regs

Capability Prioritization

Capability Engineering

User’s Guide,Templates, and Due

Diligence CL (PO)

External to ESC

Internal to ESC

Complianceand

Technical Rigor

18


Elements of the ESC Governance Model

19

Engineering Baseline:Technical Guidance

Engineering Baseline:Technical Guidance

IT Governance

Strategic IT DirectionStrategic IT Direction

AF Enterprise ArchitectureAF Enterprise Architecture

Engineering Baseline:Asset Inventory

Engineering Baseline:Asset Inventory

Programs of Record (PoR)

Programs of Record (PoR)

SSGSSG

Strategic

Operational

TacticalIT-LCIT-LC

CCBCCB

PMOPMO

TWGTWG


Solutions – Engineering Baseline

20

Engineering Baseline = Guidance + Knowledge

Answers 4 questions:

What am I acquiring?

Should I use existing infrastructure?

Am I building new products right?

Am I building anything that could be used by others?

Changes in:- Policy

- Technology- Standards

ASSETSASSETS

Technical Guidance

Asset Inventory

ESC Engineering Baseline

Programs of Record

ConfigurationControl Board

ASSETSTo theField

Info Gathering

Produce

InventoryUpdate

Update Inventory

Change Guidance

Direction

Re-use

Change Request

Qualifies

Organizing Enterprise Framework for Capability Delivery


Capability Delivery

Engineering Baseline to provide guidance and share knowledge between programs

Governance and Data Strategy supports interoperability and information sharing

Certification & Accreditation refocused on Mission Assurance

Capabilities to the warfighter, rapidly

21

Development

Certification & Accreditation

Rapid Capability

Guidance

Knowledge

Convergence support Agile Capability Delivery


…because the adversary is here

Photo courtesy of Dr. Roger G. Miller, HAF/HO

And we have only seconds to defeat him…

Questions?Questions?


BACK-UPS

23


NDAAs

NDAA 2008 Section 904 requires appointment of DoD Chief Management Officer and Deputy, as well as Services Chief

Management Officers. CMO duties:

Ensure capability to carry out the strategic plan of the Department of Defense in support of national security objectives

Ensure the core business missions of the Department are optimally aligned to support the Department’s warfighting mission

Establish performance goals and measures for improving and evaluating overall economy, efficiency, and effectiveness and monitor and measure the progress

Develop and maintain a strategic plan for business reform

NDAA 2009 Section 908 Sets minimum objectives for Services CMO’s Mandates creation of an Director of Business Transformation (DBT) and Office of Business Transformation

(OBT) reporting directly to CMO Sets minimum scope for OBT – Budget, Finance, Accounting, Human resources – extensible by SECAF Provides DBT with authority over all elements of the military department to carry out transformation

initiative

NDAA 1999 Review budget requests for all IT and NSS systems; ensure that IT and NSS are in compliance with

standards of Government and DoD Ensure that IT and NSS are interoperable with other relevant IT and NSS Coordinate with the Joint Staff with respect of IT and NSS

24


Elements of a Complete Governance Model

1. Governance Strategy, Scope and Goals

2. Governance Stakeholder Model

3. Governance Goals, Principles and Policies

4. Policy Enforcement and Provisioning Model

5. Governance Enforcement Mechanismsa) Organizations and Boardsb) Governance Processes, Events and Triggersc) Governance Enabling Technology and Tools

6. Exception, Waiver, Escalation and Appeals Process

7. Governance Metrics and Behavioral Model

8. Governance Communications Model

9. Governance Feedback and Management Reviews

10. Governance Performance Management and Sustainment

25


Applied Governance

Budgeting,Ownership

& Funding Models

EnterpriseGovernance

Models

Organization&

Processes

Roles, Skills &Assimilation

Behavior,Culture &Incentives

Metrics & Scorecards

Processes & Policies

People Tools & Technology

Governance required at difference levels

Not just a committee, but a new way of life

Governance is Policies, Processes, Organizations, Tools that lead to the desired behavior

Need to proceed smartly and learn from the lessons of the past

Integration Culture Shift

Stabilizing the patient through architecture and strong governance will help secure the network while developing a strategic path forward and reducing overall lifecycle costs

26

I n t e g r i t y - S e r v i c e - E x c e l l e n c e27

Five Aspects to Air Force OTD

Open Architecture Air Force Enterprise Architecture

Open Standards ESC Engineering Baseline

Open Development Collaboration Automated Metadata Population Service

Open Source Forge.mil

Open Systems Office of Naval Research Navy Reference

Implementationhttp://nesipublic.spawar.navy.mil/nesix/View/P1307

(https://enweb.mitre.org/wiki/index.php/OTD)

27


SAF/AQSAF/XC

ESC

AFSPCAFSO21

CMPPITP

Lead Commands

Three-Legged Stool of Capability Delivery

28

AF

NetO

psStreamlining IT

Enterprise Architecture Engineering Baseline

Capability

Process

Vocabulary

Service

28


Assume Attacks Will Succeed and Assume Attacks Will Succeed and Limit the Value of Each Attack Limit the Value of Each Attack

• Assume compromise; rebuild routinely• Decouple external and internal networks

• Use Wisdom of the Crowds

Retake the Asymmetric Advantage By Retake the Asymmetric Advantage By Constantly Changing the Attack SurfaceConstantly Changing the Attack Surface• Choose from a million random variations• Distribute servers, apps, data across VMs

• Add in out-of-band elements

Adaptive CONOPS to “Fight-Thru” AttacksAdaptive CONOPS to “Fight-Thru” Attacks• Instrument network for machine learning

• Composable security• Collocate Ops, Development, R&D

Repurpose Virtualization from Cost Efficiency to Mission Repurpose Virtualization from Cost Efficiency to Mission EffectivenessEffectiveness

Infrastructure ConvergenceVirtualization for Mission Effectiveness

29

emerging best practice in it architecture & acquisitions

Documents