Danielle Metz has one word to describe the Department of Defense’s abrupt transition to remote work in 2020: “herculean.”
The DOD deputy CIO for information enterprise, Metz says that IT leaders had just a few weeks at the pandemic’s start to ensure they had the proper bandwidth and enough devices, and to augment collaboration capabilities so that employees could replicate their work environment at home.
“We needed to do this in short order because we wanted to avoid shadow IT,” she says. “If there’s an extraordinary circumstance and something needs to get done, people are going to be smart enough to figure out how to do it, but they may not be doing it in the most secure or efficient manner.”
Key to the response was the rapid rollout of a temporary collaboration solution that offered video, voice and text. Called Commercial Virtual Remote, it became the world’s largest deployment of Microsoft Teams, established in just 60 days.
Every DOD employee — about 2.8 million in all — had access to CVR, which became the linchpin of an effort to make sure there was a long-term, unified solution for the future. Every agency within DOD worked on the project to “ensure there was unity of effort,” Metz says.
“The impact of CVR made it clear that we have forever changed how we work and collaborate within the department,” she adds. “We have transitioned to chatting, meeting and collaborating in Teams. CVR was a tipping point for a DOD-wide culture change in how we conduct business.”
The temporary solution was officially taken offline on June 15, replaced with a permanent and more full-featured solution called DoD365 (the department’s version of Microsoft 365), which also includes Teams. About 2.2 million users had migrated to the new solution by the time CVR was disabled, Metz says.
CVR saved the day in the short term, says Mike Galbraith, the Navy’s chief digital innovation officer, although it had shortcomings.
“But the good far outweighed the bad, and it positioned us for the future,” he adds.
DOD Aggressively Rolls Out Telework Tools
In the early days of the pandemic, DOD agencies often found that there wasn’t enough technology to support the demands for telework. “There weren’t enough audio bridges or VPN clients,” Galbraith says. “We didn’t have enough bandwidth capacity.”
Mark Weatherford, chief strategy officer for the nonprofit National Cybersecurity Center and the Department of Homeland Security’s first deputy undersecretary for cybersecurity during the Obama administration, says that every federal organization struggled with giving so many people secure remote access overnight.
For government agencies that didn’t have laptops or remote capabilities available for everyone, he says, a lot of work had to be done over a short period of time.
“But I would say that the added complexity of the DOD remote workforce is that so much of the work is classified,” he says. “It is a huge cultural challenge.”
So a core group of engineers, program managers and the DOD Cloud Computing Program Office worked with Microsoft to roll out CVR on an aggressive timeline, Metz explains.
“We had to have the guidance and policies in place to ensure that the data would be protected and to figure out what kind of data would be allowed to be transmitted within that environment,” she says. “We were able to leverage an existing contract to do an initial six-month Teams deployment in their commercial environment.”
Once the work was done, the improvement was noticeable. “During the first couple of weeks, we doubled our bandwidth, we doubled our network throughput and capacity, we increased our RAS [reliability, availability and serviceability] capability by 500 percent, and our web access accounts by a factor of 30,” Galbraith says. “Each month, we were imaging 15,000 laptops for distribution.”
Says Metz, “CVR drove home the importance of web-based access as a baseline capability. A vast majority of DOD workers were suddenly given the ability to work from anywhere, on any device, and they were not happy at the prospect of losing that ability” once the pandemic ended.
FREE RESOURCES: Get your agency ready for a new way to work.
Pentagon Seeks a Permanent Telework Solution
While CVR was readily welcomed, it wasn’t perfect: It had security, user experience, and content search and management issues that DoD365 corrects. For instance, while CVR was an Impact Level 2 environment, which covers material that is allowed to be released publicly, DoD365 is Impact Level 5, which allows for sensitive information.
“The biggest issue with CVR was that it wasn’t integrated,” Galbraith says. “It was this appendage tacked on to our normal collaboration and email environments. You had to have two accounts, two content stores, two calendars. Initially, there was a lot of confusion.
“With DoD365, we have a product that is outstanding, and the vision and buy-in are much stronger than they ever were, because everybody went through those pandemic telework experiences together,” he adds.
As DOD worked to establish DoD365, developers planned to integrate zero-trust cybersecurity principles — something that hadn’t been required at the time but is now a major part of the Biden administration’s executive order on cybersecurity.
“We needed to have an enterprise service that did identity management and authentication,” Metz says. “Our engineers developed, designed and implemented a global directory. This allows us to continue the thread of interoperability but also cybersecurity.”
They also came up with a minimum mandatory cybersecurity baseline that each branch of the military hosting DoD365 must implement.
Moving to a zero-trust security architecture is not easy, says Weatherford. “Zero trust essentially says everything that happens in an environment is untrusted, so every communication needs to be verified and validated prior to granting access, and then there are technologies to enable it. But I think it is far harder to implement than it is to describe it.
DOD Looks to the Future of Hybrid Work
Each DOD component is on a slightly different schedule in terms of migrating from CVR to the DoD365 environment. The Navy, for instance, had moved over approximately 50,000 people as of early summer.
“It will offer an integrated experience where all of our content management, emails and calendars will be integrated with our SharePoint portal in a single digital environment in the cloud,” Galbraith says.
DOD is also working to offer direct access to the internet from web browsers, and users will be able to access DoD365 from personal cellphones that have a mobile device management solution, Metz says. Each step is tested in pilots and is then presented to the DOD CIO and U.S. Cyber Command for approval before implementation.
Danielle Metz, the deputy CIO for information enterprise at the Defense Department, led the shift to telework. Photography by Gary Landsman
The military can no longer make plans based on having all workers onsite, Metz says: “We need to make sure that regardless of where our users are, they can access what they need to execute their mission.”
Although the CVR deployment eased collaboration issues in unclassified settings, almost 12 percent of military workers surveyed by the DOD Office of the Inspector General in August 2020 said that they continued to work onsite during the pandemic because their work could not be performed remotely.
“If the military wants to have access to its data and services from anywhere and on any device, and do it securely, it brings into sharper focus the things that are holding us back,” says Maj. Gen. Maria B. Barrett, commanding general of the Army’s Network Enterprise Technology Command.
Metz is convinced that the CVR/DoD365 project can serve as a model for future work. New partnerships were forged among military CIOs and DOD agencies and are now being leveraged during the transition from CVR to DoD365.
“We have provided a blueprint for the department in terms of how we think about IT,” Metz says. “It’s not just a back-office function. We’re able to make ourselves relevant in terms of how we’re executing the mission.
“Instead of building a perfect box that takes two years to get to our warfighter or to our DOD user, we’re able to spiral in incremental capability more securely, more quickly and build upon it, and it becomes more relevant. We can deliver these types of capabilities by using a DevSecOps model, and it works.”