Interview: John Grimes
Assistant Secretary of Defense for networks and information integration and Defense Department Chief Information Officer John Grimes talks with Defense Systems.
John Grimes has been assistant secretary of Defense for networks and information integration and Defense Department chief information officer since late 2005. He previously held numerous senior technical and staff positions, including five years on the White House National Security Council staff as director for national security telecommunications policy. As DOD’s CIO, he has been the chief customer of the Defense Information Systems Agency.
With the transition to a new administration looming, Grimes spoke with Defense Systems contributing editor Barry Rosenberg about the challenges facing the next DOD CIO.
DS: With a new administration taking office in January, what transitional issues are you dealing with now?
Grimes: I’m trying to transition the transformation that started with former Secretary of Defense Donald Rumsfeld back in the early part of the administration when the net-centric concept was put together. Secretary of Defense Robert Gates has expressed publicly and before Congress his concerns as we transition because we have two wars in progress, which is the first time this has happened in 40 years. So it’s more critical than ever that we have a good transition to the new administration.
DS: What are some of the specific personnel decisions that will occur?
Grimes: My job is me — I go away on Jan. 20 since I’m confirmed by the Senate.
Most of the time — President Clinton did not — they’ll ask an individual like me to stay around for a couple weeks. Here’s the problem. When Rumsfeld came in, it took nine months to get his team confirmed. It took eight months for my predecessor to be cleared. In the meantime, business goes on. So what’s critical is the involvement of my two deputies, Cheryl Roby, who is my principal deputy, and the deputy CIO, David Wennergren. They’re career employees, and they stay on the job.
The Defense Department information technology enterprise is the largest in the world. I hope the new administration will have people who are familiar and understand the magnitude. On Jan. 20, things just don’t turn off and a whole new group of people come in. My job, the secretary of Defense, the secretary of State, and all the undersecretaries have to be confirmed. And most of the time, a new administration has candidates that have to be vetted by the FBI, especially for my job. Then they’re subject to Senate approval.
And, of course, the first two people they try to confirm are the secretaries of Defense and State. And then within the department, it’s usually the deputy secretary and undersecretary for policy. Now that’s the norm. We don’t know whether that will be the same for this group.
DS: Do you expect there to be an acting CIO beginning Jan. 21?
Grimes: That will be up to the new administration.
Or they might ask me to stay on in an acting capacity, which I would agree to for a short period.
DS: What are you doing now to solidify and transition your most important programs?
Grimes: The secretary of Defense has established 25 priorities to be transitioned.
We have a plan we have put together that is subject to review.
DS: How many of those 25 specifically relate to your office?
Grimes: There are five major ones that we are supporting. The first is enterprisewide alignment, where we want to accelerate DOD Information Age transformation to increase the effectiveness and efficiency of the warfighting, intelligence and business missions.
The second is mission assurance enhancement to ensure that the Global Information Grid supports DOD missions under all threats: cyberspace and physical.
The third is knowledge as a strategic asset. We want to enhance decision-making through timely and assured information sharing. The fourth is portfolio management where we provide for the timely and effective delivery of key netcentric capabilities through portfolio management. The fifth is national leadership support: to expedite the implementation of unique C3 capabilities that support the national leadership and DOD core missions.
DS: What’s at the top of your list for the transition?
Grimes: I focus on the net-centered capabilities, the infrastructure and those core IT services that we have been working on. It was started before I arrived, and this is to ensure that we have interoperability and supportability.
Those are the things that drive our five key priorities. I recently attended a meeting with the department’s transition task force to make sure that we are in concert. I will hand my own plan over to my successor, and it may be that I won’t see him but it will be done.
DS: What's the biggest barrier to a better alignment of the military services' IT infrastructures?
Grimes: One of our challenges, which is true for most large organizations – both public and private – has been the transition from an era where local commands built local-area networks and developed local applications for customer requirements to where organizations have to work together for interoperability to get the right information to the right person at the right time around the globe.
There is a single DOD IT team now.
Our existing governance structures, such as the DOD CIO Executive Board and CIO/C4 principals, along with the military departments, the intelligence community and my CIO team, are all working closely together on interoperability and information assurance issues that are aligning our infrastructure and information systems.
We have dozens of initiatives that we are working hand-in-hand with the CIO of the Director of National Intelligence.
For example, in the area of certification and accreditation, reciprocal agreements are going to make a huge impact on the way we field systems. If DOD or DNI rolls out a system, we’ll accept their certification. That saves time and makes things easier for our people, and it makes more funding available to deliver capability instead of filling out paperwork.
One of the biggest challenges we’ve had in government is sharing information, especially among agencies. Working with Dale Meyerrose, we established the Unified Cross Domain Management Office about two years ago to look at the countless solutions out there and start paring them down. We’ve cut an initial inventory of more than 2,000 systems by 90 percent and established a set of systems that work in across various operational in DOD and DNI. So that’s a huge step forward.
We have successfully implemented a single smart card/public-key infrastructure solution across the entire DOD, with 3.5 million users. The Common Access Card has significantly improved our information security through cryptographic log-on and secure access to the Web, enabled us to move from laborintensive paper processes to electronic government solutions through the use of digital signatures and is improving physical security access at our military bases.
Our DOD Enterprise Software Initiative has allowed us to leverage our buying power across DOD to reduce costs and align on software licensing efforts.
We not only have achieved cost avoidances of $2 billion over the last eight years or so but also our work has served as the genesis for the federal government’s SmartBuy initiative. As an example, last year, our DOD team led the work to put into place an enterprise buying agreement for data-at-rest encryption for laptops and personal digital assistants that is now available not only to all of DOD but also the rest of the federal government, as well as every state and local government across the country.
Our movement to service-oriented architecture is providing great opportunities for the department to quickly deploy Web services that make information available across organizational boundaries.
And we have made great progress in implementing the core enterprise services, such as collaboration and content discovery, that will be used by the entire department.
DS: There recently was a significant cyberattack on Georgia timed with Russia's invasion of that country. And there have already been a large number of data thefts from the Unclassified but Sensitive Internet Protocol Router Network, according to Strategic Command Commander Gen. Kevin Chilton and others. How will DOD address information assurance and prevention of the type of attack that happened to Georgia?
Grimes: The problem of securing information and networks is challenging.
Some efforts are focused at the user level, like increased or updated information assurance training for both the system administrators and users and implementing CAC/PKI to reinforce access control.
Other efforts are focused at the computer system level, things like a host-based security system on department computers to prevent automatic execution of malware; the use of antivirus and antimalware software to detect and eliminate bad code from user PCs; and one of our more recent success stories — the implementation of enterprise-level data-at-rest encryption capability on the mobile systems.
The data-at-rest approach is helping us prevent data loss from stolen or misplaced laptop computers.
The second part is: What are we doing to prevent distributed denial of service? DOD is enhancing its sensor grid at the perimeter and enclave for better intrusion sensing and containment. The implementation of intrusion-prevention systems and intrusion-detection systems at our Internet gateways helps identify and block network traffic containing malware signatures and patterns and prevent Web servers from being compromised or overloaded with factitious traffic.
By regulating external access to DOD applications and data and public information services pages using network demilitarized zones (DMZs), Web-content filtering, and upgraded domain name service at our Internet gateways, we are reducing outside threats and minimizing exposure to the malicious activity, worms and viruses that plague the Internet.
Aggressive management and oversight by the Joint Task Force–Global Network Operations provides early warning situational awareness to the department on denial-of-services and distributed denial-of-service incidents.
DS: Is the weak link the NIPRnet’s connection to the Internet?
Grimes: Correct. And we are putting in DMZs to control that access. Dot-mil and dot-gov will be DMZs, and there will be fewer connections. That’s what we’re doing. We’re reducing the connections, which reduces vulnerability.
DS: At the Army’s LandWarNet conference in August, Gen. Chilton said the military services see a significant spike in Internet usage in March for the NCAA Tournament. He raised the possibility of ending, or at least severely curtailing, the use of military networks for that type of use. Is that something you support?
Grimes: Yes. We are evaluating that also because of morale and the welfare of our troops. We put some limitations on access to certain Web sites about a year ago. But when we do, we continue to give access through other means, particularly for our service men and women.
But the other problem with what you just said is when the employees and the servicemen use bandwidth for personal reasons.
The reason we’ve had to restrict, especially going into certain theaters, is the bandwidth that is being used for personal reasons that could impact the mission of the warfighter. So that’s one of the reasons that we’re evaluating this right now, along with improving the protection of that information. And when I say information, I’m talking about content. What happens is that when you use those tools and have access to those sites, it also opens up vulnerability for people to get back into your own network.
DS: You’ve also discussed the idea of establishing knowledge as a critical strategic capability, both by increasing awareness of the value of knowledge as a national asset and expediting the sharing of vital data throughout the federal government through technology and policy initiatives. How do projects like Defense Knowledge Online reflect that goal, and what other specific initiatives do you see aiding in that mission?
Grimes: The department’s commitment to creating an information advantage is taking shape through our DOD Net-Centric Data Strategy. We’ve seen great successes in areas like maritime domain awareness, where, by making data discoverable, we have been able to deliver new capabilities in months, not years, and at a fraction of the cost of replacing legacy systems with new IT systems.
The power of moving to a service- oriented enterprise is significantly improving our ability to share information with the right people at the right time. As part of this move to Web services, we have focused a lot of energy on delivering core enterprise services across the entire department. Defense Knowledge Online is a huge step in that direction. We’ve been using standard collaboration tools, content staging and content discovery services and are working on the delivery of identity services.
I believe the new administration will be happy with the department’s IT posture and program initiatives. Our critical issue will continue to be cyber intrusions on both the physical networks and the information resident in those networks.