DOD Acting CIO: JWCC is First Step in Multi-Cloud Environment

The Defense Department is moving away from the “nuts and bolts” work of building a multi-cloud environment through the Joint Warfighting Cloud Capability (JWCC) and transitioning toward the implementation of attribute-based access control, said Acting CIO Leslie Beavers Thursday.

“JWCC got us started. That’s not where we end. We need a multi-vendor, multi-cloud environment that behaves as if it were a single vendor, single cloud. And we need it with our allies and partners,” Beavers said at the Defense IT Summit in Arlington, Virginia.

She spoke to the crowd about some of the developments ahead and the work she has been doing in collaboration with “Five Eyes” partners, NATO and Pacific allies like Korea and Japan to integrate them into a “seamless environment for the warfighter to act.”

Software factories will also play a critical role in testing and scaling software delivery, Beavers said. Service branches like the Marine Corps, which launched its software factory in 2023, have used the initiatives to leverage next-generation digital skill sets, and upskill them to be comfortable developing software solutions.

“You’re going to see in the coming years, a larger focus on really maturing the software factory ecosystem and making it more integrated to deliver at the enterprise levels. The software is where the magic happens,” Beavers said.

She also emphasized the importance of monitoring and understanding supply chains for software and hardware. Buying American or Five Eyes-made software gives leaders the ability to truly secure the supply chain’s security and software assets.

“It’s not a one and done,” Beavers said. “You’ve got to have ongoing development of the ongoing security work to contain the software, so there’s a long tail in that operation and maintenance portion to software.”

Beavers expressed confidence that the DOD will build out its zero-trust cybersecurity framework by 2027 for traditional networks, but said operational technology and the internet of things with the DOD will only be secure through collective contribution.

“This is something that we can’t do from CIO. This is something that we can help you figure out how to do, but everybody who owns this equipment and who rents this equipment has to take cybersecurity seriously, and they have to build it in from the beginning,” Beavers said. “If they didn’t, they need to go back and repurpose it, or we need to retire it.”

Beavers highlighted the DOD’s efforts to upskill, train and retain employees through its talent exchange programs and cyber academic engagement office, but said the level of training must increase in sophistication.

The department has also reduced its time to hire from over 150 days to an average of 79 days, beating OPM’s 80-day average goal.

“The Defense Department, in a lot of ways, is kind of like a university in that we grow talent for the workplace. We have to train and develop our own people, our own skills for cybersecurity, cyber defense, cyber operations,” Beavers said.