There’s an age-old adage: There’s no limit to what you can accomplish if you can get a team to do the work together, and early results from the Cyber Asset Reduction and Security (CARS) Task Force are proof of this concept.
Since inception in October 2006, the CARS Task Force has keenly kept its sights on:
• Improving the Navy’s enterprise security posture;
• Reducing the Navy’s information technology footprint; and
• Enforcing enterprise behavior and preparing the way for the Next Generation Enterprise Network (NGEN) and Naval Networking Environment (NNE).
Aggressive efforts, with the fleet; systems commands; personnel and training commands; facilities; higher education commands; and all other major Navy commands, have made significant progress in attaining the Chief of Naval Operations’ goals for CARS to reduce the number of Navy legacy networks.
In the last year, the CNO accelerated the timeline for reduction from September 2011 to September 2010 and raised the bar for total network reduction from 51 percent to 90 percent!
Enhancing the Navy’s Security Posture
According to Neal Miller, CARS director, CARS is focused on improving the Navy’s enterprise security posture. “We are eliminating legacy networks ashore by moving their capabilities into NMCI (Navy Marine Corps Intranet) or ONE-NET,” he said.
“We’re also taking steps to ensure that all networks allowed to remain outside these networks are just as secure and are efficiently managed following common command and control structures.”
Miller added that his team is working to find financial efficiencies and help prepare for NGEN. “This could not be done without the positive support of our mission partners — the NMCI and ONE-NET program leads and the Navy’s Echelon II command chief information officers.”
One of the first orders of business for CARS was to develop written, repeatable processes; including the first-ever Navywide criteria for adjudicating whether a shore-based system or application should be allowed to operate outside the Navy’s designated enterprise networks: NMCI, ONE-NET and Integrated Shipboard Network Systems (IT-21).
The CARS team has followed processes, making adjustments and refinements along the way. Together with mission partners, CARS is operating as smoothly as a well-oiled machine to keep this complex mission on track.
To illustrate the scope of this effort, when CARS was initiated, the Navy had nearly 1,200 networks, including NMCI, ONE-NET and afloat networks, which make up just 12 of the 1,200 total networks. But by the end of September 2008 that total had been reduced to about 500, including approximately 150 “excepted” networks, or networks outside the NMCI enclave, which leaves 350 networks to be terminated by September 2010.
By summer 2008, the systematic CARS case development process identified secure enterprise solutions for common applications for more than 230 systems to be migrated into NMCI and ONE-NET. These cases were far enough along in the planning process so that actual migration timelines were established.
CARS and Echelon II CIO representatives then teamed up to create an aggregate network termination schedule for 200 networks during fiscal year 2009.
The CARS team will press on for network shutdown, which will leave approximately 150 networks to be terminated before the mission completion date of September 2010.
The majority of these cases are in the NMCI area of support, and common solutions are being applied overseas to help transition systems into ONE-NET.
It is important to note that approximately half of the Navy’s total information technology infrastructure is in place to provide capabilities that are either not supportable in, or not appropriate to be provided by an enterprise network.
Examples include Navy higher education networks at the Naval Academy, Naval War College and Naval Postgraduate School; research, development, test and evaluation (RDT&E) networks operated by the Navy’s systems commands; high-speed computing conducted by mainframe computers for Navy oceanographic and meteorological services; and selected tactical and training networks ashore.
“Through the deliberate CARS process, all excepted networks will be secured behind an approved, centrally-managed information assurance/computer network defense (IA/CND) suite,” said Charlie Kiriakou, CARS deputy director and security chief. “This will ensure that the Navy’s entire IT network infrastructure will have well understood and consistent security capabilities, whether it is in NMCI, IT-21, ONENET or an excepted network,” he said.
Previous CARS investments have accelerated transition to Web-based organizational messaging using the Navy Regional Enterprise Messaging System (NREMS); supported accelerated termination of legacy networks overseas (Guam ONENET); and consolidated enterprise applications, such as the Federal Logistics Data (FED LOG) and Standard Procurement System (SPS).
In August 2007, certification and accreditation (C&A) for network operations throughout the Navy streamlined CARS and other Navy workflow by reducing net cycle time in the C&A process.
Rob Mawhinney, Navy’s deputy operational designated approval authority (ODAA) and deployment lead for C&A, believes that the process improved risk acceptance decisions by the ODAA through higher quality C&A documents. “This process is not only a positive direction for CARS,” Mawhinney said, “but for commands throughout the Navy as well.”
Another way to improve quality and reduce the timeline for completing the C&A process is to deploy a software tool to help automate the workflow and development of required C&A documentation.
CARS initiated and funded an acquisition effort by Program Executive Office Command, Control, Communications, Computers and Intelligence (PEO C4I) to field such a tool, C&A Support Tool, or CAST. CAST automates the C&A process from registration through system decommissioning.
If you use a commercial software application for preparing your income tax return, it’s easy to understand the value and time-savings that a similar program can do for the C&A process.
“Classified systems that have not had NMCI seat orders placed are included in the network shutdown list,” said Lt. Jessie Castillo, deputy director for the CARS operations division.
“Once a solution is identified and sufficient progress made toward implementation, CARS and the NETWARCOM director of operations may allow re-connection of a legacy network.”
In view of the fiscal realities and complexity of the mission, the CARS team has been aggressively working to balance the need for demonstrating tangible results, such as infrastructure reductions, security improvements and savings quickly, with the need to define a comprehensive and executable plan to accomplish its mission on or ahead of schedule.
“We will not rush to failure, nor will we allow ourselves to fall into the trap of over-planning and resultant lack of positive action,” said Clifford Bussey, CARS operations officer. “Prudent operational risk must be accepted while adhering to the need to reduce, consolidate and secure our networks. We also need to track the financial savings when we deliver operating efficiencies to support realignment decisions.”
Setting the Stage for NGEN and NNE
One of the greatest challenges facing the Navy’s shore IT leaders is reducing costs for operating and maintaining major business and warfighting computer systems without reducing readiness. Implementing maturing technologies, such as server virtualization and consolidating systems into fewer physical hosting locations, are key elements of the new Navy Server/Application Hosting Center strategy.
CARS has begun implementation in three locations already, including Space and Naval Warfare (SPAWAR) Systems Center sites in New Orleans and San Diego, and a Bureau of Naval Personnel (BUPERS) site in Millington, Tenn. The next steps include build out of backup capability for the Millington site at Great Lakes, Ill., and initial exploration for expansion sites in Patuxent River, Md., and Bremerton, Wash.
The strategy includes leveraging joint hosting capacity at large Defense Information Systems Agency (DISA) computing centers. The first one with major Navy users is in Mechanicsburg, Pa., other locations include: Norfolk, Va.; and overseas locations in Naples, Italy; Yokosuka, Japan; and Bahrain. Planned projects are summarized in Figure 1.
As these sites are activated, many existing Navy systems will be relocated from their current widely dispersed sites into one of the consolidated hosting locations.
In addition to reduced total costs and being more environmentally friendly, the primary benefits of executing this strategy include significant improvements in the Navy’s disaster recovery and continuity of operations capabilities; improved ability to defend our key information systems and the data exchanged on them; and an increase in the speed to capability to bring new systems on line securely.
“The overall effort includes seeking most efficient operations as well as identifying appropriate cost-sharing methodology for data centers that host applications owned by more than one Echelon II command,” Kiriakou said. “In parallel with consolidating the data centers, Navy is taking positive steps for
phased consolidation of our Web portals,” Kiriakou added. “These services will eventually be provided via Defense Knowledge Online.”
The effort is starting with migration of the U.S. Fleet Forces Command’s SharePoint classified and unclassified portals to a DISA computing center in Mechanicsburg.
CARS is also implementing consolidation of the Navy’s public-facing Web services to a DISA computing center in conjunction with implementation of DoD-level information assurance demilitarized zones, also called proxy services and screened subnets. This is to ensure that the assurance of one system is not undermined by the vulnerabilities of interconnected systems.
“A plan of action and milestones (POA&M) for purging enterprise service capabilities from networks that have attained initial approval as excepted networks will be executed this year,” Bussey said. “I’d especially like to recognize Naval Facilities Engineering Command and the Naval Education and Training Command for timely completion of their POA&Ms, and we are looking forward to helping them execute them to meet all requirements for final approval.”
The CARS area of responsibility is global, so CARS has been working hand-in-hand with the ONE-NET program to facilitate enforcement of that network as the Navy’s designated enterprise overseas network. This includes coordination of asset and networks not presently in ONE-NET and developing engineering plans for them to migrate to ONE-NET.
“Another area we are supporting is the emerging governance and architecture plans to enforce a consistent approach for network service types to support the Maritime Headquarters with Maritime
Operations Centers,” Castillo said. “Additionally, common themes among the approved excepted networks will be used to ensure full awareness of the potential scope of services required to be provided under the Navy’s Next Generation Enterprise Network,” he continued. “Overall, CARS is on schedule,” Miller explained. “We have a much better understanding of the detailed scope of networks, applications and systems that will be needed to transition to NGEN, and we are ahead of the game on network terminations.
“We’ve made great progress with reducing workload for completing security efforts begun under Cyber Condition Zebra with metropolitan area network purifications and security. However, we have not made as much progress as I’d like in a few areas, including establishing Navywide processes and tools for IT asset management,” Miller continued. “Our focus remains on finding a balance between improving security and delivering cost-effective enterprise solutions, but the new normal for security posture, demanded by Joint Task Force–Global Network Operations (JTF-GNO), has driven us to implement a few course corrections to respond to a very dynamic network operations and defense environment across the DoD,” Miller said.
He added that, “Active collaboration, with NMCI, ONE-NET and NGEN programs and all the Navy’s Echelon IIs, is allowing us to concentrate efforts to meet real-time operational demands to improve our security posture through deploying technologies, such as Host Based Security System and data at rest, while also making real progress to set the stage for NGEN/NNE through initial deployments of IT asset management and Data and Application Hosting Centers.”
Miller credited CARS mission partners for the current level of success achieved. “Together, we will accomplish the CNO’s goals, improve [the] Navywide security posture, [and] identify and leverage
efficiencies,” Miller concluded. “We will transform Navy IT from a federated to a mature enterprise where sound investments in IT deliver definitive warfighting and business value.”
George Bieber is the editor of InfoDomain, the professional magazine of Naval Network Warfare Command. This article was reprinted courtesy of NETWARCOM and edited from the original article published in the Winter 2008-2009 edition of Info Domain.