Comparing IT Trends in California and the Department of Defense

Chris Cruz, Chief Deputy Director of the California Department of Technology (CDT) and Deputy State Chief Information Officer (CIO) for the state of California, presented a thought provoking look at the emerging information technology (IT) developments in his state. He highlighted three key trends for the state:

1. Utilizing open source and open data environments to foster innovation
2. Implementing cloud technology to consolidate infrastructure and reduce the number of data centers in the state
3. Cybersecurity and defense, including external threat monitoring & incident response and internal prevention and education

As a servicemember working in the Department of Defense (DoD), Cruz’s presentation led me to investigate the current IT priorities in my own corner of government. According to the most recent DoD strategic IT document released by the office of the CIO in 2016, the way forward for DoD is comprised of eight primary goals:

1. Executing capability initiatives toward the Joint Information Environment (JIE) vision
2. Improving collaboration with mission partners and industry
3. Ensuring successful mission execution in the face of a persistent cyber threat
4. Providing a cloud computing environment
5. Optimizing DoD’s data center infrastructure
6. Exploiting the power of trusted information sharing
7. Providing a resilient communications and network infrastructure
8. Improving transparency, overnight, and execution of DoD IT investment

Examining each of these lists produces several interesting comparisons. One major difference is a matter of scope- while Cruz cites California’s recent distinction as the sixth largest economy in the world, the U.S defense spending would place the DoD as approximately the 19th largest economy on its own.  Add to this that the DoD employs nearly ten times as many employees as the state of California, while operating in the shadow of budgetary uncertainty following the implementation of sequestration in 2012 and 2013. Finally, the mission set of the constituent agencies of the DoD are constantly changing and evolving. While Cruz presents supporting the establishment of a statewide architecture for the cannabis industry as an example of the innovation required in California, it is still relatively similar to the architecture required to support other commercial activities. The DoD must develop a robust network capable of responding to currently unforeseen threats in austere environments across the globe. While the cost of “late arrival” to a disruptive technology could result in waste of tax dollars or inefficiency for California, the consequences for the DoD could be critical for the warfighters they support.

Despite these differences, the similarities between the DoD’s priorities and those of California are overwhelming. DoD’s priorities of working towards the JIE and collaborating with partners and industry echo Cruz’s comments about streamlining and integrating the information environment of the various state agencies his office supports. The DoD faces the same challenge in developing a joint environment that better integrates the various networks that are currently operated independently by different agencies within the department. This effort flows directly in to the DoD’s cyber defense activities, through the implementation of what DoD has termed Joint Regional Security Stacks (JRSS). The DoD CIO Terry Halvorsen, in budget testimony to Congress explaining the priorities above, called the implementation of JRSS DoD’s number one IT priority. This framework would reduce the 1000 disparate networks and 5000 firewalls that currently comprise the DoD network down to just 50 external access points, which would dramatically streamline DoD cyber defense activities. This method is similar to Cruz’s discussion of the new California cyber defense center’s role in serving as a central hub for the state’s response to cyber threats.

The stringent security and privacy requirements for handling government data complicate both California and DoD’s implementation of cloud storage and computing. In addition to the HIPAA, CJIS, and FedRAMP requirements that Cruz discussed for California, the DoD has instituted several stringent requirements that go beyond FedRAMP through the Cloud Computing Security Requirements Guide (CC CRG). Notably, the DoD has informed its industry partners that these requirements are subject to change as the threat environment evolves in the future.

This uncertainty limits the partners that DoD can work with in industry, which points to a larger issue shared by both California and the DoD. As government entities, both organizations are less able to attract top IT talent than large technology companies in the private sector, due largely to limits on compensation, byzantine hiring practices, and broader lifestyle constraints. Similar to California’s efforts described by Cruz, the DoD has considered creative methods including internships, hiring programs, and the use of private contractors in an attempt to overcome these disadvantages.

The fact that California and the DoD share so many similar IT priorities, despite sometimes stark differences in size, geography, and mission, supports the widespread importance of emerging trends such as cloud computing, cyber security, and innovation across the spectrum of public and private entities. I look forward to exploring these trends further throughout the course.