Headquarters U S Air Force Integrity Service Excellence

Headquarters U. S. Air Force Integrity - Service - Excellence Emerging Best Practice in IT Architecture & Acquisitions Dr. T. Rudolph CTO, Electronic Systems Center Hanscom AFB, MA 12 November 2009 1

A Changing World (Irregular Warfare, Stabilization, Homeland Defense, Emergency Response, Disaster Recovery, Humanitarian Relief) Integrity - Service - Excellence 2

…And It’s NOT Just Our Security Environment Financial Meltdown Healthcare Crisis Integrity - Service - Excellence 3

The “DNA” of Information Visibility and Discoverability Understandability and Interoperability Accessibility and Security V- D Governance and Policy U- I A-S G-P Integrity - Service - Excellence 4

Changing Operational Landscape SPACE AIRBORNE TERRESTRIAL CYBERSPACE Integrity - Service - Excellence 5

Changing Technology Landscape n Net-Centricity n Information Transparency n SOA n Standardization n Semantic Technologies n Interoperability n Cloud Computing n Information Security n IPv 6 Opportunities to use Commercial Innovation and Leverage Commodity IT Integrity - Service - Excellence 6

What SOA isn’t A specific architecture n A product n An Enterprise Service Bus or many ESBs n n Not necessarily required A destination n A way of life (at least an interesting way of life) n A guarantee of success n … alive? n n n Governance n 7 SOA is Dead; Long Live Services, Anne Thomas Manes, 1 Jan 09 … but Enterprise Governance is required Integrity - Service - Excellence 7

History of Information Transparency Volume of content Disconnected content producers 1985 1975 usenet social networking topical organization salon, 1664 Disconnected content Volume of content producers WWW publishing, co-citation Excite 1995 Yahoo! Volume of co-citations Google browsing producers co-citation language relevance statistics bibliography, c. 500 concordance, 1250 Quality of content producers 2005 Wiki 2010 Semantic Web authoritative controlled vocabulary encyclopaedia, 77 patent, 1464 yellow pages, 1883 Integrity - Service - Excellence taxonomy, 340 BCE 8

Business Transformation with SOA 1997 2000 2001 2002 2003 2004 2005 2006 2007 2008 Slash network monitoring costs Customer in-transit visibility Total account management Transform web search Transform music distribution New media model Office SW on browser Deployment Readiness DIMHRS Risk Mitigation Integrity - Service - Excellence 9

Changing Business Landscape n Content Generation n Data Strategy n Content Provisioning n Business Process Modeling n Enterprise Architecture n Securing the Network n Securing the Content Required for Enterprise Security and Governance Integrity - Service - Excellence 10

Vision: Transformed Acquisition Process Program A Program B Program N . . . Com mon IT F . . . ram ewo rk delivering capability agility . . . Vertically resourced Programs n Mission applications tightly coupled to infrastructures More agile/focused mission services n Evolution to more common IT framework n Hosting consolidation n Shared resources/services - right sized to meet ops tempo n Enterprise Security Changing acquisition to better leverage services, share infrastructure, and interoperate through federation Integrity - Service - Excellence 11

Changing Acquisition Landscape Away from Systems Towards Capabilities Away from Point-to-Point Towards Data Sharing Away from Brittle/ Fortress-type Security Towards End-to-End Enterprise Level Security Away from Code reuse Towards Shared Services and Infrastructure Away from revolutionary large-scale systems development Towards iterative/rapid evolution of components More Granularity and Flexible Contract Vehicles Integrity - Service - Excellence 12

Effective C&A n Establish ESC leadership/responsibility for local certification of PEO programs (including reference architecture, inheritance, type C&A constructs) supports a more timely and effective C&A n Current State: C&A timelines are expressed in months or years after completion of development n Incentivizes users to circumvent controls, creating additional risk n n Future state: n Establish ESC/EN to achieve networthiness (applications, products, services) Enterprise Architecture-based n Mission assurance based on real risks and salient impacts n n Inherited C&A with confidence with reciprocity to Joint & other services Integrity - Service - Excellence 13

ESC Networthiness n Assigned roles/authorities--single engineering process owner n Deep functional area expertise--increase security engineering skills n Defined and well-known standard process--ESC O-SEP and process standard n Provide training/certification of others--core to engineering training n Mobilize/surge when needed--focused IA teams at Gunter, WPAFB, and Hanscom n Audit and report results of process Integrity - Service - Excellence 14

More Capabilities to the Warfighter “Build in” Certification n Current State: C&A Timelines Are Expressed In Months After Completion Of Development n Incentivizes Users To Circumvent Controls, Creating Additional Risk n n Future State: n Establish ESC/EN To Achieve Networthiness (Applications, Products, Services) Enterprise Architecture-based n Mission Assurance Based On Real Risks And Salient Impacts n n Inherited C&A With Confidence With Reciprocity To Joint & Other Services Transition Focus From Speed Of Acquisition To Speed Of Moving Capability To The Field Integrity - Service - Excellence 15

Services Lifecycle Integrity - Service - Excellence 16

Strategic Investment n Invest now into Governance – Pay me now or pay me later n Strong Governance Strategies ensure tiered accountability Ensures efforts do not work in a vacuum n Facilitates realization and separation between infrastructure and Core Capabilities n n Continue consolidation efforts n Leverage lessons learned from others Institute and Reinforce the Culture Shift Integrity - Service - Excellence 17

Governance Structures Capability Prioritization External to ESC Level of Governance Senior Steering Group (CIO/CMO/SAE/PEO) Overall IT Governance Policies & Regs Capability Engineering Compliance and Technical Rigor ESC CCB / Engineering Sufficiency Reviews Solutions Governance (Engineering Oversight) Enterprise Analysis & CM Contract Mechanics and Program Execution User’s Guide, Templates, and Due Diligence CL (PO) Programs Internal to ESC Implementation NETCENTS-2 Program Office Integrity - Service - Excellence 18

Elements of the ESC Governance Model Strategic IT Direction SSG AF Enterprise Architecture Operational CCB TWG Engineering Baseline: Technical Guidance Tactical IT Governance PMO Engineering Baseline: Asset Inventory IT-LC Programs of Record (Po. R) Integrity - Service - Excellence 19

Solutions – Engineering Baseline = Guidance + Knowledge Answers 4 questions: ESC Engineering Baseline Change Guidance n What am I acquiring? Technical Guidance Should I use existing infrastructure? Update Inventory Changes in: - Policy - Technology - Standards n Am I building new products right? Qualifies Asset Inventory n Am I building anything that could be used by others? n Direction t es Re-use ge n ha R u eq Configuration Control Board g Info rin the a G Inventory Update C Programs of Record Produce ASSETS To the Field Organizing Enterprise Framework for Capability Delivery Integrity - Service - Excellence 20

Capability Delivery Guidance n Engineering Baseline to provide guidance and share knowledge between programs Knowledge Development n Governance and Data Strategy supports interoperability and information sharing n Certification & Accreditation refocused on Mission Assurance n Capabilities to the warfighter, rapidly Rapid Capability Convergence support Agile Capability Delivery Integrity - Service - Excellence 21

…because the adversary is here Questions? And we have only seconds to defeat him… Photo courtesy of Dr. Roger G. Miller, HAF/HO Integrity - Service - Excellence

BACK-UPS Integrity - Service - Excellence 23

NDAAs n NDAA 2008 Section 904 n n n NDAA 2009 Section 908 n n n Sets minimum objectives for Services CMO’s Mandates creation of an Director of Business Transformation (DBT) and Office of Business Transformation (OBT) reporting directly to CMO Sets minimum scope for OBT – Budget, Finance, Accounting, Human resources – extensible by SECAF Provides DBT with authority over all elements of the military department to carry out transformation initiative NDAA 1999 n n n 24 requires appointment of Do. D Chief Management Officer and Deputy, as well as Services Chief Management Officers. CMO duties: n Ensure capability to carry out the strategic plan of the Department of Defense in support of national security objectives n Ensure the core business missions of the Department are optimally aligned to support the Department’s warfighting mission n Establish performance goals and measures for improving and evaluating overall economy, efficiency, and effectiveness and monitor and measure the progress n Develop and maintain a strategic plan for business reform Review budget requests for all IT and NSS systems; ensure that IT and NSS are in compliance with standards of Government and Do. D Ensure that IT and NSS are interoperable with other relevant IT and NSS Coordinate with the Joint Staff with respect of IT and NSS Integrity - Service - Excellence

Elements of a Complete Governance Model 1. Governance Strategy, Scope and Goals 2. Governance Stakeholder Model 3. Governance Goals, Principles and Policies 4. Policy Enforcement and Provisioning Model 5. Governance Enforcement Mechanisms a) b) c) Organizations and Boards Governance Processes, Events and Triggers Governance Enabling Technology and Tools 6. Exception, Waiver, Escalation and Appeals Process 7. Governance Metrics and Behavioral Model 8. Governance Communications Model 9. Governance Feedback and Management Reviews 10. Governance Performance Management and Sustainment Integrity - Service - Excellence 25

Applied Governance Integration Culture Shift n Stabilizing the patient through architecture and strong governance will help secure the network while developing a strategic path forward and reducing overall lifecycle costs Enterprise Governance Models People Organization & Processes Roles, Skills & Assimilation Metrics & Scorecards Tools & Technology n Governance required at difference levels n Not just a committee, but a new way of life n Behavior, Culture & Incentives Budgeting, Ownership & Funding Models Processes & Policies n Governance is Policies, Processes, Organizations, Tools that lead to the desired behavior Need to proceed smartly and learn from the lessons of the past Integrity - Service - Excellence 26

Five Aspects to Air Force OTD n Open Architecture n Air Force Enterprise Architecture n Open Standards n ESC Engineering Baseline n Open Development Collaboration n Automated Metadata Population Service n Open Source n Forge. mil n Open Systems n Office of Naval Research Navy Reference Implementation http: //nesipublic. spawar. navy. mil/nesix/View/P 1307 (https: //enweb. mitre. org/wiki/index. php/OTD) 27 Integrity - Service - Excellence 27

Three-Legged Stool of Capability Delivery Enterprise Architecture Engineering Baseline Process Requ Service AFSO 21 CMP PITP Lead Commands 28 SAF/AQ SAF/XC ESC Integrity - Service - Excellence Ops irem Vocabulary et AFN ents Capability Rapid Development Streamlining IT AFSPC 28

Infrastructure Convergence Virtualization for Mission Effectiveness Repurpose Virtualization from Cost Efficiency to Mission Effectiveness Retake the Asymmetric Advantage By Constantly Changing the Attack Surface • Choose from a million random variations • Distribute servers, apps, data across VMs • Add in out-of-band elements Assume Attacks Will Succeed and Limit the Value of Each Attack • Assume compromise; rebuild routinely • Decouple external and internal networks • Use Wisdom of the Crowds Adaptive CONOPS to “Fight-Thru” Attacks • Instrument network for machine learning • Composable security • Collocate Ops, Development, R&D Integrity - Service - Excellence 29