Photo by panumas nikhomkhai, Pexels
The Army’s new chief information officer discusses his vision for the OCIO and getting the right data to Soldiers.
by Jacqueline M. Hames
In the information age, we’re surrounded by data—we can find practically anything about any subject on an internet search, including misinformation. We can pull statistics on our social media performance from the native platforms. We can read scientific studies and research papers for free online, or we can post our own opinions on blogs. It’s a constant cascade of information that we must sort through.
“A lot of times having all the data available all the time is not as helpful as we think it is,” Leonel Garciga, the Army’s new chief information officer, said during an interview with Army AL&T in August 2023.
At the most tactical level, Soldiers don’t need the 50,000 fields of information on how their mission was selected or various collateral information on the mission’s ramifications—they just need the specific information on the target, Garciga said. A natural shift toward this type of specific data is already taking place, with the Army focused on reducing kit and ensuring Soldiers know what data they need, he explained.
Minimizing the data from a huge pool at the enterprise level down to what’s needed for the user is key—it will help drive the Army’s decision-making process throughout the development of various programs and policies, especially those from the Office of the Chief Information Officer (OCIO). The best way to do that is through maturing the secretariat and perfecting the management of the OCIO’s critical oversight and governance responsibilities.
RISE TO THE CHALLENGE
The OCIO and the Army will face a handful of challenges in the coming years. One of the most difficult from an oversight and governance perspective is incorporating new technologies into the Army’s network. For example, policy isn’t currently supporting the use of commercially available artificial intelligence and machine learning. “We all love going online and using some of these services, but it’s a little different if you have CUI [controlled unclassified information] and government data, or if you’re using government data that has some privacy information there. So how do we start putting out some guidance to make sure we don’t get ourselves into trouble down the road, and that we have a good approach to audit that?” Garciga said.
Another major challenge that the Army will face in the next few years is reducing the amount of technical debit, or tech debt, incurred over the last two decades, Garciga said. Tech debt is the implied cost incurred when businesses do not fix problems that will affect them in the future—and the longer a business waits, the more costly it will be to fix. In the cybersecurity realm, tech debt can be accrued from poor cyber hygiene practices. For example, while some cybersecurity programs may have expanded, they may not have kept pace with the organizations’ operational growth investments.
“It’s definitely going to be challenged by legacy integration methodology on the data side, and legacy access control methodology, which is going to be kind of an Achilles heel moving forward,” Garciga said. Access control methodology is a data security process that enables organizations to manage who is authorized to access corporate data and resources. Secure access control uses policies that verify users are who they claim to be and ensures appropriate control access levels are granted to users.
“I think the big piece here is how do we start looking at bringing in mitigation strategies to get at that, and as we move the enterprise toward a zero trust environment, how do we make sure that we don’t leave some of those legacy capabilities that we can’t modernize … and bring them forward, or at least get them to a state that is a lot more secure?”
Mitigating legacy tech debt and ensuring cloud environments are secured appropriately will be major focuses in the future.
“As we look at expanding into the multivendor cloud service provider environment, this becomes even more challenging in the sense of having that skill set that ubiquitously understands across the landscape—not just what the cloud service providers are delivering, but how we take their implementation from a security perspective and secure it to meet our needs,” Garciga said.
Ultimately, the OCIO will need to understand the enterprise across all mission areas, and how data is being accessed and used, and how to audit data at scale, he explained.
HARD AT WORK
Leonel Garciga (right), the U.S. Army chief information officer, addresses a panel on Oct. 10, 2023, during the Under Secretary of the Army’s Digital Transformation Panel at the Walter E. Washington Convention Center in Washington. The event was in support of the Association of the United States Army 2023 Annual Meeting and Exposition. (Photo by Jeremy Carlin, USAASC)
WORKING TO ZERO TRUST
From the Army’s perspective, network convergence is a primary goal, Garciga said. Executing the Unified Network Plan—a framework that ensures technological dominance and establishes the foundation for a multidomain operations-capable force by 2028—and other technology implementation and integration projects in support of unified network operations brings the Army closer to meeting the pillars of zero trust, he said.
This will help the Army to perform defensive cyber operations “in a much more streamlined way across the entire network,” he explained. “I think our unified security incident event management … is going to be super, super important. That’s one of the more critical capabilities that we’re working on—continued expansion of the big data platform Gabriel Nimbus for the Army to support the DCO [defensive cyber operations] mission.”
Gabriel Nimbus is a system designed to store and visualize large datasets, and also link the tactical side of the enterprise network to the strategic level to aid in decision-making. That platform is an example of where the Army has done a great job aggregating and analyzing data, Garciga said.
“Those two things are going to be critical linchpins for zero trust,” he said. “We could not only see ourselves, but we can have some of that core capability to do the analytical work we need to do in the event that there was a compromise or in the event that we had an insider problem that we had to triage. Those are critical.”
Another critical piece of the zero trust puzzle is identity, credential and access management (ICAM), Garciga said. The Program Executive Office for Enterprise Information Systems established ICAM in January 2023 to create a global, scalable and robust capability with a single set of authoritative identity data to give access to Army information technology resources at the point of need. ICAM “really helps us get at step one business system audit, believe it or not,” and lays the foundation for the work the Army needs to do to make data available across all the mission areas and functional areas that have unique sharing constraints, he explained.
GETTING OUT OF (TECH) DEBT
Tech debt is the implied cost incurred when businesses do not fix problems that will affect them in the future. In cybersecurity, tech debt can be accrued from poor cyber hygiene practices. (Photo by Dragos Condrea, Getty Images)
SCALE UP
The OCIO needs to rethink the way it integrates with the Army acquisition community and become more of an enabler for that community, Garciga said. “I think that’s going to be the next step—how do we ingrain that in everyone and thicken that relationship? And the other piece is really reshaping the way we do non-acquisition program delivery. I think that’s huge. I think that continues to be one of the biggest challenges in the department, both fiscally and from a cybersecurity perspective,” he explained.
The cybersecurity and software acquisition pathways can have policy debt as well as tech debt. It’s important to determine which policies are value added and need to be implemented, and which are extraneous and a barrier to delivering capability. “People don’t like talking about it [policy], but it matters, right? If you’re a PM [program manager], it matters a lot,” Garciga said. “It costs money, it costs time and sometimes it slows you down.” He wants to figure out what guidance will best support the DevSecOps work that the program managers are doing.
The OCIO must examine how to support the Army’s four pilot continuous integration and continuous delivery selected acquisition programs from a cybersecurity and portfolio perspective, he added. Currently, there isn’t much official guidance on the subject, and it keeps Garciga up at night because if “you get it wrong, you just deliver software faster with more risk, as opposed to delivering software fast—that’s secure,” he said.
“The key there is getting some of that guidance and making sure that we’re having that conversation with [the assistant secretary of the Army for acquisition, logistics and technology] to shape what that looks like,” Garciga said. “The other piece of that is testing. … How we integrate the test community into that is extremely huge.”
The OCIO also needs to determine how to support commands and what they need for their missions on a large scale, Garciga said. “We’re not a bodega—we’re Walmart plus Amazon. … It’s hard to run your own Amazon and Walmart at the same time.”
Providing guidance that supports both the logistics personnel that are trying to get parts in the motor pool and that intelligence personnel that are trying to get sensitive data to warfighters is extremely complex. “Those are like different planets,” he said. “How do you make sure that you can shape some guidance out there that supports both what folks are doing on the acquisition side and supports what folks are doing on the mission side?” There’s a balance that needs to be found with that, and Garciga hopes to help the OCIO and find that balance as much as he can.
GABRIEL NIMBUS
Gabriel Nimbus, a big data platform, is designed to store and visualize large data sets, and link the tactical side of the enterprise network to the strategic level to aid in decision-making. (Photo by Scanrail, Adobe Stock)
CONCLUSION
The conversation in the cyber space must shift to integration, and not just making data available according to set standards, Garciga explained.
When he looks across the warfighting mission and the intelligence space, he sees the potential for growth in data integration and interoperability. “In an environment where we definitely have never fought alone—and we’re not going to, we fight with our joint partners—it continues to be more and more critical that we get at some of our interoperability and integration challenges across the board,” Garciga said.
Getting users the data they need at the right time and in the right place is paramount.
For more information about the OCIO, go to https://www.army.mil/cio.
JACQUELINE M. HAMES is the senior editor at Army AL&T magazine. She holds a B.A. in creative writing from Christopher Newport University. She has more than 15 years of experience writing and editing news and feature articles for publication.
