Navy Launches Aggressive Virtualization Plan

Author Henry Kenyon

The Navy is trying to accelerate efforts to virtualize more its IT operations with the launch of a new pilot program to test hosted virtual desktops. The pilot program is intended to gauge what kind of cost savings the Navy might expect by using software to run remote versions of desktop computers, and rely on thin- or zero-client devices. The initiative is expected to reduce equipment and overhead costs, and improve security, but how much it would save the Navy is not clear.

The Hosted Virtual Desktop (HVD) pilot will support up to 7, 500 users on the Navy and Marine Corps Intranet. According to Navy officials, HVD will allow users to access software tools and applications from a data center via a terminal or other device. Because the software isn’t tied to a specific piece of equipment, it will allow a variety of devices to access the desktop, from inside and outside the unclassified NMCI.

By vitrualizing desktop services, the Navy hopes to save money and increase its IT efficiency by centralizing security patching and updating, cutting the need for onsite tech support, and increasing security.

“We’re doing it for cost and security,” said Navy CIO Terry Halverson at an industry forum Aug. 7. “If I can get to a higher volume of HVD users, the pure cost of the device is much less,” he said, suggesting that $400 per device was a reasonable estimate.

Halverson noted the increased security provided by centralizing the data services. “There’s no residue data left on the device,” once it’s turned off, he said. And the ability to centrally manage security administration instead on the devices themselves will allow users to use their personal computers to telework and to access controlled unclassified information, he added.

The HVD pilot falls in with a larger Navy virtualization effort. On July 29, Halverson issued a memorandum that requires the service to virtualize all its current server-based systems and applications by the end of the 2017 fiscal year. The memo also applies to the Marine Corps and calls for both services to submit virtualization plans within 120 days. The plans will detail how they will upgrade all of their servers and server-based systems and applications. The announcement will likely affect the host of IT contractors and subcontractors supporting Navy and Marine Corps systems.

Virtualization is nothing new to the civilian government or the DOD. Major initiatives were launched under the Obama Administration to increase the cost savings of federal IT systems through efficiencies such as consolidating data centers. A key to all of these efforts is virtualization because it allows organizations to do more with less equipment. Virtualization is also at the heart of modern commercial cloud technology, something the government is embracing as well.

Although the memo highlights virtualization, it also leaves room for other approaches for greater efficiency and cost savings. According to the Navy, the timeline allows for virtualization to take place in steps or phases. This allows the service to also run other efficiency efforts in parallel, such as system/application rationalization, standardization and data center consolidation.

Navy and Marine Corps organizations who believe that their systems can’t be virtualized must submit a waiver to their respective service CIOs for approval by Sept. 30, 2014. These waivers are not permanent; they will be good for one year and reconsidered during every following annual review.

Henry Kenyon is a contributing writer to InformationWeek Government. He has covered Government IT and Defense markets since 1999 for a variety of publications including Government Computer News, Federal Computer Week, …

Commerce Dept. critical of liability protection as cybersecurity framework incentive

Fierce Government IT

Liability protection as an incentive for private sector adoption of the cybersecurity framework under development by the National Institute of Standards and Technology requires further study, says the Commerce Department in a discussion paper that takes a skeptical view of the need for protection against tort claims and other possible private sector incentives.

NIST plans on releasing a preliminary version of the standards-based framework this October; President Obama called for its creation and voluntary adoption by operators of critical infrastructure in a February executive order, EO 13636. Multiple federal agencies are studying what incentives the federal government could extend to operators for its implementation.

In an Aug. 6 blog post, the White House cyber czar Michael Daniel lists eight possible incentives without expressing open preference for any.

The Commerce Department offers more analysis in a discussion paper (.pdf) that, like the White House, includes liability protection for the private sector as a possible incentive. The paper casts critical light on the need for liability limitation, noting that department officials are “not aware of any tort claims against critical infrastructure providers for loss resulting from a cyber attack” and that there exist no other examples where limiting liability for analogous hazards helped align risk-prevention measures with company efforts.

It also quotes a June 3, 2013 letter from Sen. Jay Rockefeller (D-W.Va.) stating that liability protection “would turn existing market incentives for implementing cybersecurity best practices on their head,” since prospectively granting relief from damages could discourage private sector improvements in cybersecurity. Rockefeller, chair of the Senate Commerce, Science and Transportation Committee, is co-sponsor of legislation (S.1353) that would codify the framework into law.

In short, “Commerce advises further study on the concept of modifying tort liability,” the paper says.

The discussion paper also draws attention to drawbacks in another type of possible incentive, that of federal grants – a method the Homeland Security Department has said it may favor.

Direct grants to defray costs of implementing the framework has the significant drawback of creating a moral hazard “by providing a subsidy for companies that choose not to invest their own resources in participating in the program,” Commerce says. In addition, direct grants would require new legislation, it adds.

Integrating framework adoption as an evaluation criteria of grant applications could be done under existing authority, the paper says, but “the appeal of this incentive is relatively limited.” It would not guarantee broad adoption in critical infrastructure sectors.

The paper flat out rejects the possibility of a tax incentive – one the White House also doesn’t list it in Daniel’s blog post. A research and development credit wouldn’t foster short-term motivation to adopt the framework, Commerce says, and a capital gains tax cut for shareholders wouldn’t translate into company adoption of it unless the company sells its own holdings and uses the money for cybersecurity.

The discussion does call for collaboration between NIST and insurance companies in developing the framework in a bid to cultivate a cyber insurance market. The report quotes comments from insurance carrier Marsh that once NIST develops cybersecurity metrics as part of the framework, insurers can in turn adapt the framework to develop company risk profiles.

It also says public-private research cooperatives – a model of which could be the existing NIST-run National Cybersecurity Center of Excellence – could assist in developing solutions to gaps, “particularly when commercial solutions are available but encounter barriers to implementation.”

The paper also says that many companies have called for an optional public recognition program for recipients, such as an emblem they could display. Commerce says it believes that most companies would want to display such an emblem, but that the emblem could also serve as a magnet to hackers. Additional consideration is needed, it says.

Read more: Commerce Dept. critical of liability protection as cybersecurity framework incentive – FierceGovernmentIT