1. “The global hub for educating, informing, and connecting Age leaders.” National Defense University Information Management Resource College Ensuring Cloud Computing Security through Supply Chain, Acquisition and Project Management Education Dr. Michael J. Donohoe Professor, National Defense University “The views expressed in this presentation/article are those of the author and do not reflect the official policy or position of the National Defense University, the Department of Defense, or the U.S. Government.”

2. Preparing for the Cloud Computing Storm Next Wave in Business Transformation Vivek Kundra, Federal CIO, 25 Point Implementation Plan to Reform Federal Information Technology Management –Shift to a “Cloud First” policy –"The cloud will do for government what the Internet did in the '90s” –Move Data Centers to the Cloud for both cost and energy savings via consolidation Both cloud security awareness and information assurance risks need to be “built into” the defense acquisition and IT project management processes –Security, Acquisition and IT Project Management professionals will need Cloud Computing education & guidance to encourage adoption Vs. the common statement of ‘you can’t do that’

3. Preparing for the Cloud Computing Storm Next Wave in Business Transformation Federal Risk and Authorization Management Program (FedRAMP), a standard approach to assessing and authorizing cloud computing services and products. Cyber-Supply Chain Risk Management (C-SCRM) Code of Practice, NIST Sponsored Project by University of Maryland Smith School of Business Information Assurance Technology Analysis Center (IATAC), Security Risk Management for Off the Shelf (OTS) Information and Communications Technology, State of Art Report (SOAR) –Comprehensive book of knowledge on Cyber Supply Chain Products and Services Best Practice Centers for Cloud Computing & Cyber Supply Chain Management (DISA / Forge.Mil, Capability Maturity Model Integration for Acquisitions (CMMI-ACQ) & Supply Chain Operations Reference (SCOR) Model) Promote cloud computing education at the management level (functional and technical) to lead organizational cloud initiatives: and avoid project delays, scope creep, increased costs, or security failures

4. 4 Cloud Computing Guidance & Complia nce US National Institute of Standards and Technology (NIST) Cloud Computing defined “Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. ” Federal Information Security Management Act (FISMA) of 2002 and the associated NISTS standards and special publications (e.g., FIPS 199, FIPS 200, SP 800-53 etc) apply to Cloud Systems NIST Special Publication 800-146 Cloud Computing Synopsis and Recommendations ( Draft 5-12-2011 w/comment deadline of 6-13-2011) –Some applications will “need to be reengineered to realize the full benefits of the new computing capacity that is now available on demand” –Decades of traditional distributed computing topics are still open with Cloud Computing (Computing Performance, Latency, Off-Line Data Synchronization, Cloud Provider Outages, ….etc.)

5. Cloud Computing a Wicked Problem Government & Defense usage of cloud computing is a wicked problem, where a complex mass of technology, software services, service providers, and consumers meet in a virtual space having either shared or unique business needs, bound by Service Level Agreements (SLAs), contracts, and security constraints that cannot be solved with a simple linear problem-solving process Often there is no one standard solution to a wicked problem; in most cases each approach will be different and requires a mature knowledge on how to ‘align or best fit’ the organization’s IT enterprise architecture strategy with cloud computing services Many variables need to be considered, requiring multiple stakeholder and cloud computing supply chain vendor assessments; in short the Cloud Computing wicked problem should NOT be oversimplified

6. Gartner Hype Cycle Government Transformation 2010 Govt. Cloud is Lagging both Public and Private –Security/Risks –Knowledge – $$$ –Consulting FUD Fear Uncertainty Doubt

7. Budget Reductions are Powering the Winds of Change Forcing A Transformational Shift in the Defense Acquisition of Services Dr. Ashton B. Carter, Under Secretary of Defense for Acquisition, Technology and Logistics, is leading the change: –Focus is on taxpayer value (good buying power) combined with slower increases in defense spending “we’re not going to get out of it by reaching for more money…the taxpayer is going to be looking to us make the best use of each and every dollar that they feel that they can afford to give us” –Constraints in current acquisition process need to be removed to deliver effective solutions to the war fighter "We have an acquisition system and decision-making system that is very slow, very painstaking, very risk-averse, seeks perfection and certainty … need to react on a scale of weeks and months”

8. Budget Reductions are Powering the Winds of Change Forcing A Transformational Shift in the Defense Acquisition of Services –Pentagon spends $200 billion a year on the acquisition of services, yet the $100 billion spent on acquisitions always gets the most attention Service agreements are often made by people whose principal skills often are not in acquisitions “It’s not surprising that they’re not very good at it” "Over time, it's hollowing out our own capability” too much thinking by RFP processes. "We have to make sure that we fill out the skill sets where we are thin” talent should be as good as what is available in industry “it's important to give in-house developers or designers the opportunity to perform work that may be automatically sought from external suppliers” –Acquisition professionals, IT managers, and IT Project Managers need greater knowledge of the IT services supply chain and select only external solutions when needed.

9. Need for Information Technology Education Dr. Robert Childs, Chancellor of NDU iCollege, May 6 th, 2011 address to faculty –“Information drives every conversation, it is the Alpha and Omega” –“Cloud Computing and Data Center Consolidation are very high on the list of priorities for all Military CIOs” –“Cyber is the most critical domain of the century” History repeats itself, through innovation and the need to manage the increasing dependency on IT solutions; Cloud Computing is not the first –Mainframe, Personal Computer, Client Server Computing, Internet, ERP Solutions, Web 2.0, Data Analytics, & Mobile Apps DoD Cloud experts, not contractors, should lead Cloud Computing Project Implementations (Educational Gap) –DoD employees take key leadership, functional, technical and project management roles, that will result in a cloud computing transformation driven by the DoD; not consultants

10. IT Project Management Education Focus on Educating the Defense Professional to be Cloud Ready IT Project Management competencies developed in three dimensions: – Project leadership skills – IT program/project management concepts & methods – IT acquisition, architecture and latest development issues IT Project Management organizational learning, needs to be agile, adaptive, & scalable to keep pace with the transformational shift from legacy, enterprise resource planning (ERP) to cloud computing applications and services. 6 courses complete the iCollege certificate

11. 11 Caveats This presentation provides background material to stimulate discussion of the need for an educated defense workforce in the areas of Supply Chain, Acquisition and IT Project Management, to ensure successful business transformation to a Secure Cloud Computing environment

12. “The global hub for educating, informing, and connecting Age leaders.” AFCEA TechNet Europe 2011 Bratislava, Slovakia Ensuring Cloud Computing Security through Supply Chain, Acquisition and Project Management Education Dr. Michael J. Donohoe Professor, National Defense University