Official websites use .mil
Secure .mil websites use HTTPS
One of the most significant constraints for placing emerging technologies into the hands of our naval workforce has shown to be the alignment to existing policies and procedures that were not designed to deliver services at the rate our Navy consumers require. Many of the existing information technology policies imposed against our IT services are far outpaced by emerging technology. This challenge inhibits the introduction of modern IT solutions, such as Zero Trust, Bring Your Own Approved Device (BYOAD), and internet native endpoints from ever becoming enterprise services, imposing a need for exceptions to the existing policy.
Driving both innovation and DoD policy, the Navy PEO Digital Flank Speed development teams worked with the Department of Navy Chief Information Officer (DON CIO), the Director of Operational Test & Evaluation (DOT&E), and the Department of Defense Chief Information Security Officer (DoD CISO) Cybersecurity department to establish a strategic approach to issuing Exceptions to Policy (E2P). The introduction of E2Ps allow DoD to explore the use of modern technology in a controlled manner, while still safeguarding sensitive information and services. The approach Navy has taken towards receiving E2Ps use a combination of zero trust-aligned technology analysis, DOT&E sanctioned cybersecurity assessments (known as Purple Team events), and the development of guidance in support of DoD’s future use of the technology or service being introduced. Each E2P is aligned to a specific technology area identified within the Navy for modernization, which have so far included Endpoint Security, Endpoint Management, Personal Devices, Virtual Desktop and Modern Authentication, all of which are detailed below.
As the Navy heavily transitioned to a remote work posture, adoption of an entirely new endpoint security methodology became a priority. This methodology had to ensure optimum security for our managed endpoint devices in a scenario where we no longer controlled the connectivity path for reaching business essential applications, services and data. Through extensive multi-year testing, it was determined that Microsoft-native security tools would be leveraged as the replacement for the existing legacy endpoint security solution. Navy has since worked with the DoD CISO office to establish production level approvals to support this approach, and the E2P process provided through DoD CISO enabled full deployment of this alternate solution, despite existing policy mandating specific legacy tools. The transition to this modern endpoint security approach has proven to be an extremely successful and impactful change for both our naval consumers and our cyber operators.
The next generation of PEO Digital-managed endpoints removes the strict dependency of government provided transport and accommodates for remote work scenarios without the added expense and complications from persistent Virtual Private Networks (VPN). Devices are Internet-native, continually updated, and configured with the latest security patches as they are made available from the service provider. However, current DoD policies do not accommodate internet-native devices leveraging Microsoft-specific endpoint management tools and services. As such, an E2P has been issued to the Navy for ensuring secure operations over the Flank Speed managed endpoints using this alternative connectivity model. Once proven, Flank Speed managed endpoints will completely change the way Navy delivers managed endpoints to our consumers and will open the door for capabilities such as out-of-the-box onboarding, at home provisioning and facility-free repair.
The Navy is pursuing an alternative approach for consumers to access their government provided productivity services, using managed applications from a personal device of their choice. Today, a consumer wanting to access DoD services from their personal device is limited to access through use of their device’s web browser. The web browser-based experience has been used for many years within the DoD and has provided great value and flexibility during this time, but not without challenges. The most significant limitations to the browser-based approach are its inability to provide access to the full set of features and functionality made available to consumers coming from managed devices. This puts browser-based consumers at a disadvantage and is an inefficient use of the full-featured licenses purchased for all consumers. The browser-based experience also does a poor job of providing zero trust-driven access to DoD data, increasing risk to both the consumer and the DoD. To remedy this, PEO Digital sought an E2P to place managed applications directly on the consumer’s personal device. Managed applications on personal devices provide Navy consumers with control over their own device and a familiar native app-based user experience to securely interact with their DoD data, applications, assets and services.
PEO Digital has developed an Azure-based virtual desktop solution, branded by the Navy as Nautilus Virtual Desktop (NVD). NVD is one of the most flexible and expandable remote access methods the Navy has ever deployed. The NVD service can be accessed from nearly any device and provides the consumer with a consistently updated, remotely accessible Windows desktop experience, enabling access to the same features and functions available to our managed device consumers. NVD also leverages modern Infrastructure as Code (IaC) based deployment methodologies to rapidly expand the service at the pace of the demand. This is all delivered in a manner that aligns to current DoD zero trust principles. The E2P for NVD allowed the Navy to deploy this solution at scale, using a combination of Navy-managed and cloud service provider-managed services, ensuring maximum flexibility for consumers and full visibility and control of the solution by Navy cyber operators.
The Navy is in the process of transitioning towards Naval Identity Services (NIS) as the enterprise, federated identity offering. NIS provides the Naval consumer with a zero trust-based approach to identity, authentication, and authorization in a capability package that is available within the commercial cloud, whether hybrid or disconnected. The transition to NIS opens the aperture for rapid enablement of emerging modern authentication solutions across all IT platforms, while accommodating for interoperability with traditional approaches in use today across the DoD. For the Navy to continue its transition to NIS, an E2P was required to leverage NIS authentication services for Microsoft 365 service use instead of the currently mandated Global Federated User Director (GFUD) service. The use of these modern authentication technologies presents a much more user-friendly experience, while also integrating all authentication and authorization into the zero trust ecosystem made available through Flank Speed services.
PEO Digital continues to rapidly transition towards the adoption of zero trust driven principles as they expand upon consumer access to data, applications, assets and services from any device and any location. The partnership and teaming that PEO Digital has with other organizations, such as DON CIO, DoD CISO, DOT&E, as well as many others, have been paramount in sharing lessons learned and defining the best path forward for the DON and DoD. Over a dozen individual E2Ps specifically geared toward driving innovation and security were issued to the Navy PEO Digital Flank Speed team, and we fully intend to expand upon that number for the betterment our naval consumer experience in the future.
Darren Turner is chief technologist for PEO Digital’s technical director.
Established in May 2020, the Program Executive Office for Digital and Enterprise Services (PEO Digital) is the DON acquisition agent focused on the delivery of enterprise IT infrastructure and core digital services to maintain the competitive edge while meeting demand signals from our user communities. PEO Digital is transforming systems and delivering modern capabilities and technologies needed to connect Marines and Sailors across the globe.
Originally published in CHIPS Magazine: