The chairman of the House Armed Services Committee raised a few eyebrows recently when he put forth draft legislation dated April 16 and aimed at cutting defense spending by eliminating seven Department of Defense (DoD) agencies, including the Defense Information Systems Agency (DISA).
Rep. Mac Thornberry, R-Texas, said his goal is to reduce spending by 25 percent within the Pentagon’s “Fourth Estate,” which refers to dozens of agencies that don’t answer directly to one of the military services. DISA, which provides IT infrastructure and communications support to the military, is the most notable of the targeted agencies.
The others are the Defense Technical Information Center, Office of Economic Adjustment, Test Resource Management Center, Washington Headquarters Services, the Defense Technology Security Administration, and Defense Human Resources Activity.
The proposal immediately ran into some pushback on the Hill, with lawmakers and others saying that the agencies potentially on the block provide essential services that would still have to be provided if those agencies were closed. In DISA’s case, those services have a global reach involving operation and defense of DoD networks, along with significant roles in DoD’s efforts to move toward cloud computing and the Joint Information Environment, and other functions related to DoD operations.
DISA is funded by Congress through the annual National Defense Authorization Act, has a budget of $9.4 billion, and about 8,000 military and civilian employees. In addition to its responsibilities in security and cloud deployment, its key mission areas include facilitating DoD’s ongoing transition to a net-centric environment, maximizing bandwidth in the Global Information Grid (GIG), exploiting the GIG to improve decision-making, and providing communications support. This includes commercial satellite leasing and “Special Mission Areas” in support of White House communications.
In some cases, those jobs are already being shifted away from DISA. Cyber defense activities, which make up a relatively small (in terms of manpower) but important piece of DISA’s responsibilities, are already being turned over to the U.S. Cyber Command, which has been given control of the Joint Force Headquarters-DoD Information Networks (JFHQ-DODIN) and the roughly 15,000 DoD networks it defends.
The Pentagon’s push to use commercial cloud services also has put DISA somewhat on the sidelines. In 2014, DoD, looking to attract more commercial providers, took away DISA’s role as the department’s cloud broker, though DISA remained in charge of evaluating and approving the cloud services for DoD use. But that also saw a change a few years ago, when DISA’s original Cloud Security Model was scrapped in favor of the Cloud Computing Security Requirements Guide, which aligns more closely to the Federal Risk and Authorization Management Program (FedRAMP) used by civilian Federal agencies.
DoD’s most high-profile commercial cloud project is the Joint Enterprise Defense Infrastructure (JEDI) cloud contract, a potential $10 billion deal for which the department plans a single award, and which is being managed not by DISA but by the Cloud Executive Steering Group, a panel of senior DoD officials.
But although DISA is seeing its role diminished in some areas, it still has its hands in a significant number of pies. A steering group may have taken command of JEDI, but DISA is still involved in cloud computing through its own milCloud and milCloud 2.0 offerings, as well as other major projects. On April 17, the agency released a draft request for proposals for the Defense Enterprise Office Solutions (DEOS), which could be worth up to $8 billion. Planned as an enterprise cloud that will replace current IT services including “voice, video, collaboration, email, content management, records management, and office productivity,” DEOS will support the Pentagon’s Joint Information Environment (JIE). As with JEDI, DISA plans a single award for the DEOS contract, which would run for five years with five one-year options. Responses to the draft solicitation are due May 7.
DISA has a significant role in the JIE, DoD’s vision for a secure, integrated, cloud-based network that can accommodate the military services, other DOD components, and allied forces. At the foundation for JIE’s operation are the Joint Regional Security Stacks (JRSS), which will allow DoD to consolidate defense for hundreds of networks into a handful of regional centers. DISA is overseeing implementation of the JRSS, although it has run into a few snags since work began in 2013. Most recently, DoD’s director of operational test and evaluation released a report in January saying the JRSS implementation failed in tests to protect against cyberattacks. The report recommended putting further deployments on hold.
If it happens, the elimination of DISA and the other agencies won’t happen overnight. Thornberry’s proposal would call for DoD’s chief management officer to come up with a plan for the changes by 2020. And at this point, it’s just draft legislation, which will likely run into opposition in Congress. In the meantime, DoD and lawmakers will have to figure out how to shift the jobs currently handled by DISA elsewhere in the department and determine whether the shift ultimately will improve efficiency and save money.