OneNet vs. IC ITE vs. JIE: 3 Ways to Consolidate Fed Networks
President Trump’s executive order on cybersecurity aims to collapse federal networks into “one or more consolidated network architectures,” a move that would both centralize cyber responsibility in fewer agencies and radically alter the way agencies manage and operate their information technology systems.
Now government IT leaders are trying to figure out how best to achieve that vision.
Options include: a highly centralized system managed by a single federal entity; a shared arrangement built around multiple communities of interest, such as law enforcement or benefits delivery; or a commercially centered model in which agencies could choose from among a limited menu of approved commercial alternatives.
The Federal Chief Information Officer Council, led by Acting Federal CIO Margie Graves, gets the first crack at setting the path forward. Whatever solution it comes up with, must then survive scrutiny from a host of federal agencies – as well as Congress.
Among the options are three models already in place:
- The Department of Homeland Security’s OneNet, a centralized virtual network architecture that links the department’s seven major components and 15 subcomponents
- The Intelligence Community Information Technology Enterprise (IC ITE), a multibillion effort to harmonize and standardize IT services throughout the intelligence community, including establishing common transport and security layers
- The Department of Defense’s Joint Information Environment (JIE), which like IC ITE, seeks to establish standard services and controls to keep more data inside a protected environment and limit contact with the public internet to 49 joint regional security stacks (JRSS), which act as gateways between the defense network and the global internet
DHS’ OneNet, though smallest of the three, is the most mature. Completed in 2014, it successfully drew together nearly two dozen agencies inside a single network in the decade after the department was created. In the OneNet model, each component operates its own local area networks (LANs) within a common set of standards and guidelines, using OneNet’s multiprotocol label switching (MPLS) backbone to connect with other DHS entities, with shared commercial cloud services and to reach the global internet.
OneNet’s backbone sits on top of commercial networks operated by AT&T and Verizon, passing data from agency to agency through internal gateways called Policy Enforcement Points (PEPs). Contact with the world at large is routed through two Trusted Internet Connections (TICs), which also manage access to cloud services that host apps, databases and public-facing DHS web sites.
Richard Spires, DHS’ CIO from 2009 to 2013, oversaw much of the transition to OneNet. The challenges to consolidation are less about technology, he says, than culture and control.
“It’s hard to argue the point theoretically,” Spires told GovTechWorks. “It’s like a lot of shared services ideas in government: It sounds good, but getting everyone on board is hard. We were struggling to get OneNet to run well with just the different components of DHS. A model where you have one monolithic network? It would be very hard to manage at that scale.”
Agencies, individual divisions and programs all have unique requirements. Coming up with a single solution that solves everyone’s needs demands a lot of compromise. The more compromises necessary, the more time it will take to overcome objections.
This is why Spires favors an enterprise services model, in which government negotiates umbrella services centrally, but agencies are free to acquire those services on an as-needed basis. “That model is pretty close to right,” Spires says. “That way agencies can leverage the buying power of government, but you can still allow agencies to configure their network architectures to suit their needs.”
To effect that change, Spires favors shifting most infrastructure services, including network security, to a select group of cloud providers using enterprise agreements negotiated and managed by the General Services Administration, just as telecommunications services are managed now. “You can bake in the security controls so the agency doesn’t have to worry about it at that level,” he explains. “The agencies will still need to worry about security for their apps, of course, but not the infrastructure.”
Canada centralized its government IT infrastructure under a single agency, Shared Services Canada (SSC), in 2011. While the new organization is still in the process of collapsing hundreds of wide area networks into one, its charter goes much further – centralizing email and other services, consolidating data centers, collapsing network services and improving service results.
As with OneNet, SSC’s consolidation process proved slower than anticipated. Despite additional funding, the agency reported in its 2017-2018 plan that “current funding is insufficient to meet the higher-than-anticipated growth in government-wide demand for IT services and to refresh the older IT systems and enterprise environment.” That report puts funding and talent shortages at the top of its list of organizational risks – higher than cybersecurity or aging legacy infrastructure.
Still, it also notes progress: The number of critical incidents affecting government agencies has declined and cost growth has been arrested.
Of course, Canada’s government IT budget is a fraction – about one-tenth in size – of that of its southern neighbor. But there is another model closer to home and closer to scale: The Defense Information Systems Agency (DISA), which manages DOD’s networks and shared services. DISA’s enterprise is roughly comparable in size and scale to what the federal civilian sector might need.
In addition to managing network infrastructure, DISA is central to the evolving Joint Information Environment (JIE) and its critical security component, the Joint Regional Security Stacks (JRSS), the network gateways intended to reduce DOD’s attack surface from more than 1,000 live Internet connections to just 49 once the program is complete.
“JIE is a framework for the Department of Defense (DOD) to consolidate and bring efficiencies into our networks, particularly NIPRNet and SIPRNet,” said Thomas P. Micelli, acting principal deputy to the DOD’s CIO, at a recent Armed Forces Communications and Electronics Association (AFCEA) event. That’s a lot like what the president called for in his cyberEO, he said, adding: “So it looks like the rest of the federal government is going to be following DOD and the JIE environment, and collapsing its networks.”
Not that Micelli sees the Pentagon playing a central role in that effort, however. Having previously held CIO positions at two DHS components – Immigration and Customs Enforcement (ICE), which uses OneNet, and at the Coast Guard, which uses DOD networks – he is familiar with both approaches and the unique demands of both sectors.
Will DOD will take a lead role? No more than any other agency, Micelli told GovTechWorks: The whole CIO council will contribute ideas and expertise, and each of the agencies will do its part, he said.
While the executive order leaves open the possibility that defense and intelligence networks could also be folded into a consolidated architecture, it’s unlikely that will be the case. The different mission and security requirements argue for keeping some things separate, which may be why, when asked about DISA as a model service provider for the whole government, Micelli responded by citing DHS: “They have a pretty good network too.”
That “pretty good” network didn’t come together overnight. It took close to a decade to complete DHS’s migration to OneNet. While today’s technology might suggest it now could be done faster, it’s the people part that will be the most challenging, Spires notes. “It’s not that it’s technically impossible,” he explains. “It’s the politics, the way the money is appropriated.”
Making this happen demands forceful leadership and management focus from the top – specifically, from the White House, he says. “If you have true leadership, driving this hard from the top, it’s possible,” Spires says. “Without that, it’s too easy for resistance to rise up and simply slow everything down.”
That’s why Spires favors starting by consolidating networks around communities of interest.
“I’d like to see agencies that have functional compatibility try to work this out together first,” he says. “The intelligence community is doing this with IC ITE.” So why couldn’t agencies that pay for health care or that deliver other citizen services do the same?
Stan Tyliszczak, chief engineer and vice president of technology integration with General Dynamics Information Technology, agrees.
“That’s a solid approach,” he says. “The Intelligence Community and the DOD take advantage of the fact that their missions are isolated from the public, so they can use tightly controlled network access rules to protect against unauthorized persons trying to hack into their data.
“Creating a solution for other federal agencies based on commonality of their needs would allow for similarly tight control among like-minded agencies. There could be one community for health care; another for law enforcement and so forth. There could even be one community that’s wide open to the public for access to citizen services.
“This way, cybersecurity requirements and solutions could be tailored for each agency based on mission needs,” Tyliszczak concluded. “Every agency could pick the combination of networks that best met their unique mission and applications needs.”