Common Desktop, the Foundation for IC ITE, Expands Footprint
photo credit: DIA
The intelligence community’s common desktop system, which now serves more than 50,000 users, will spread to new users this fall and early next year.
The Common Desktop Environment (DTE) covers nearly all of the Defense Intelligence Agency and National Geospatial Agency (NGA). A joint program office run by the two agencies will put a new architecture to the test this fall. Once accredited, the joint office will begin rolling out the Phase 2 system in January with a limited number of users and to launch a full-scale rollout next April.
DTE was developed as NGA moved to its new headquarters in 2011 and soon after expanded to DIA. Now a Joint Program Office runs the program, led by Kendrea DeLauter, a former analyst who heads the effort to create a single shared desktop computer system for the entire national intelligence apparatus.
The Face of IC ITE
DTE is one of nine core building blocks making up the Intelligence Community Information Technology Enterprise (IC ITE). It may be the most important – the single shared interface that everyone in the community will experience on a day-to-day basis.
“DTE is the user-facing component of IC ITE,” DeLauter told GovTechWorks in a modern, glassed-in conference room in DIA’s glistening headquarters at Joint Base Anacostia-Bolling, the walled mini-city across the river from Reagan National Airport in Washington, DC. “Everybody works off a desktop or laptop that allows them to get access to their data. It basically affects everybody who works with a desktop or laptop computers.”
This makes DTE not just user facing, but the literal face of IC ITE to the community. Everything else is accessed through the desktop, effectively making those other eight components invisible to users:
- Commercial cloud services
- Government cloud services
- Enterprise Management (EMT), comprising the help desk and system management functions
- Identification, authorization and authentication (IAA) for access control
- Integrated Transport Service
- Security Coordination
- Application Mall
ICITE, like the Defense Department’s Joint Information Environment, is not a program of record by itself. Rather, it’s the umbrella that unifies a series of IC-wide programs into a single vision. “It’s all of the agencies getting together and brining our tools to a better standard, but doing it within our programs,” DeLauter says. “That will be an incredible test of integration across the intelligence community.”
Much of it rests on her shoulders.
Evolution of DTE
DTE came about almost as an accident. As NGA was moving into its new Springfield, Va., offices in September 2011, agency leaders sought a way to reduce the power consumption needed for every workstation and to accommodate the “green” building design. NGA’s IT support contractor General Dynamics Information Technology, came up with a state of the art design for a virtual desktop infrastructure (VDI). With approval of this design, NGA could reduce power requirements, network cabling and systems support requirements and enhance security at the same time. Patching could be done centrally, resources could be shared and users could be more mobile. Instead of being tied to a cubicle, they could easily move from work area to work area as needed, with email, phone number and data available simply by logging into a terminal anywhere in the building.
The effort was a runaway success, and soon DIA joined in, followed by intelligence teams at the joint combatant commands and Coast Guard Intelligence. To date, more than 72,000 users have been credentialed, although the actual number of current users is closer to 50,000 as retirements, transfers and normal attrition accounts for thousands of departures each year.
Eventually, DTE will boast some 250,000 users and possibly more. It will serve 17 intelligence agencies, plus some organizations “on the fringes,” DeLauter says, adding that the Office of the Secretary of Defense “has some interest in the system.”
Almost all of NGA and DIA are using the system, with a few exceptions. Additional users are added regularly, sometimes hundreds at a time.
The transition was smooth she said, thanks to extensive advanced planning and outreach by the government-contractor team: Emails, town halls, helpful tips and instructions all contributed to making the move easy on users, whose greatest worries revolved around ensuring access to favorite applications.
“You need to make sure you have a good customer experience the first time or you don’t get someone who’s going to be an advocate for you,” DeLauter says. “We put a heavy emphasis on the customer experience.”
Surveys showed 90 percent satisfaction rates for those who took advantage of the advance information, though the rate was lower for the inevitable portion who were too busy, distracted or fearful of change to prepare themselves for the move.
The biggest beef? Some applications weren’t ready in time. But with some 400 applications across the two organizations, that was inevitable. To minimize stress, the system was rolled out gradually, beginning with standard users – those performing basic computing functions and moving gradually up the scale to more sophisticated, high-demand users.
“We did not migrate the analysts first, because they tend to have the more complicated requirements,” DeLauter said.
Analysts are the power users, with more demanding applications and requirements. For some, those applications are accessed via a browser, while others were incorporated into the system image. For the most demanding instances, users were put on a thick client, rather than a thin client.
Now DTE is entering its next stage. Phase 2 will deploy DTE to at least 10 more agencies over the next few years, using a new architecture and a new contractor. Phase I’s 50,000-plus users will have to be migrated to the new platform, as well, before they are fully compatible with other users. Phase 2 uses an all-Microsoft software stack, including Microsoft Hyper-V in place of VMWare’s ESXI for virtualization and Skype for Business in place of Cisco Unified Communications suite, the voice application used in Phase 1.
But Phase 2 has been slow out of the starting blocks. Starting from scratch, the follow-on program has been held up by negotiations over software licensing and supply chain delays, Delauter says. While Phase 1 moved from contract to initial deployment in just six months, Phase 2 has taken about three times that long, and is not yet accredited. DeLauter says that should happen this fall, with the first few pilot users getting on the system in December and January, before a broader rollout in April.
To achieve that schedule, the Joint Program Office and Phase 2 contractor BAE want participating agencies to sign task order agreements now, even before the system is proven and accredited. The security accreditation process for such Top Secret systems can take 90 days or longer, depending on whether significant deficiencies are identified.
So the planned January roll-out depends on no major problems emerging this fall.
“We’ve been testing the data centers and getting the data centers ready, but not all the equipment is installed yet,” DeLauter said in June. Setting up an acceptable supply chain “for something that was going to be a community system” took longer than anticipated, as did extensive license negotiations aimed at reducing the number of licenses needed by accounting for users who move from one agency to another.
DeLauter says the testing will prove whether the approach was right or not, but that the technology decisions point to a more efficient and more secure system, including an integrated security enclave to support controlled access for multiple international partners with different levels of access.
The new system uses attribute-based access controls (ABAC), with enforcement extending to email, Sharepoint and directory files. “That’s a little new for the community and it will take some getting used to,” DeLauter said.
Security controls can provide short-term access for system administrators limited to a need-to-know requirement, a response to the Edward Snowden leaks in which he abused administrative privileges to download thousands of documents, subsequently publishing them via WikiLeaks. For administrators, it means having limited time and access privileges to do system maintenance, or risk being kicked offline mid-job.
Other features new to the Phase 2 system include:
- An integrated NARA-compliant records management capability
- A desktop as a service board for users to see what services or software is available and what the impact on their organizations will be if they add or expand services. This feature is to be added later in the Phase 2 schedule
- Support for non-US partners
Long term, Phase 2 is intended to provide similar services to other security domains including the Secret Internet Protocol Network, or SIPRNet, and its Non-secure cousin, NIPRNet. That requirement is built into Phase 2, but won’t be activated until after the system is proven in the closed arena, DeLauter says.
Will Phase 2 go as smoothly as the initial rollout? DeLauter is cautiously optimistic: “We hope it is as exquisite an experience as it was the first time.”
DTE probably won’t meet the Defense Department mandate that systems upgrade to Windows 10 by February 2017. But it could. One of the principal advantages to a virtualized system like this is the ease with which upgrades can be managed globally across the platform. But while the Phase 1 users at DIA and NGA could be upgraded today, DeLauter says her office is deferring to the agencies on when they want to make the switch.
“We’ve gone back to DIA and NGA and said, ‘Do you want to go to Windows 10?’ We are prepared to put Windows 10 in,” she says, “but DIA and NGA need to tell us when they want that. They shouldn’t do it separately; they need to do it together. The Joint Program Management Office is ready to provide those services when the agencies are ready to receive it.”
An upcoming new release for Phase 1, scheduled for the August/September period, will not include Windows 10, but the next release after that will, she said. “We are still working the delivery of Windows 10 in Phase 1,” Delauter said. NGA and DIA must work through differences on timing before they can schedule the upgrade, she added, and meetings to broker a compromise will be held this fall.
Phase 2 is also not ready to push ahead on Windows 10. The system will launch with Windows 7 and won’t upgrade to Windows 10 until well after the initial release.
Faster, Better Intelligence
While DTE will be common to every agency, it won’t necessarily be identical. Each agency will have the ability to customize access to applications, email limits and more, making the next steps in the process daunting. No doubt, as DeLauter says, “It was easier for two agencies than it will be for 17.”
She has helped establish a cross-IC working group that invites agency leaders in ahead of time so they can examine the DTE baseline and requirements, and determine what additions they may need – and what those will cost. The goal is to demystify the process and system, to give every agency a chance at a little bit of ownership in the whole.
“Transparency has been a big part of how we’ve been running the desktop,” DeLauter says. “You let people come into your design reviews. You have forums to share. Transparency is part of integration across the community.”
As each additional agency joins DTE, it will represent an additional task order, with its own particulars to be worked out and its own cost to be borne by the agency. Changes from the baseline will vary from email and storage limits to the number of applications included in the standard image.
“We think it should be a thin image, but we also have agreed to expand the number as we move along,” DeLauter says, indicating the kind of give and take necessary to get so many independent agencies to agree to give up some autonomy for the benefits of a shared system.
In exchange for giving up some independence, agencies are expected to gain security and cost savings. Gone will be large on-site staffs needed to do manual system patches and other localized support. “We patch the gold image and then everyone is protected,” DeLauter says.
Applications will be common, so everyone will be on the same version of Word, PowerPoint or Excel, eliminating formatting problems that waste time and effort. Mobility – in this context the ability to log into the system anywhere and access your files, rather than from a mobile computing device – will enhance collaboration.
“If we eliminate infrastructure as an obstacle, analysts can now focus on content,” DeLauter says.
More importantly, what DTE allows are new ways of doing business. It’s not just that you’re getting a new computer, DeLauter says. This is an opportunity to develop new workflows, new ways to share and interact, and new ways to locate others working on related issues. The goal is faster, better intelligence, not just safer, lest costly computing.
“We’re giving you some better tools,” DeLauter says. “So now: Can you come up with a better way to go through that data?”