The Defense Information Systems Agency (DISA) oversees a vast and dynamic IT ecosystem that supports a wide range of operations – from the Department of Defense’s (DoD) classified mission systems to a host of other critical functions – and that scope presents unique challenges, an top agency tech official explained this week.
“With the large landscape that we have, we have some significant challenges that we deal with, and they come in a couple categories,” said Korie Seville, DISA’s deputy chief technology officer for Compute & HaC senior technical advisor, during a webinar on March 12.
According to Seville, one of DISA’s main challenges is managing diverse deployments. That’s because modern capabilities often require stitching together multiple services to meet customers’ varied needs, rather than just running a single application on one server.
“When you do that from a supply chain perspective, throughout the entire life cycle of that application, you almost have to approach the different pieces of that service in a different way,” Seville said. He added that the nuances and variations across these systems make managing such a vast and diverse ecosystem a significant challenge.
Another challenge DISA faces in managing its ecosystem is risk in the software supply chain, which is often overlooked in comparison to risks associated with hardware, Seville explained.
“When we approach the software supply chain, it seems to be vastly different than the hardware supply chain,” Seville said. “A significant risk to the IT supply chain is the fact that there’s a lack of visibility and adequate testing when it comes to software deployments.”
He explained that unlike hardware, where the focus shifts to cyber monitoring once it’s put in place in a facility, software risks persist throughout the entire application lifecycle. Those include concerns about deployments, upgrades, origins, packaging, and the software bill of materials, “all of these things factor in as we’re building these things out” he said.
Seville also explained that gaining visibility and a clear understanding of the associated risks in the software supply chain marks another challenge the agency faces. Adding to that challenge is that DISA must manage its own supply chain, in addition to the supply chains of its providers.
“Where are they getting their infrastructure? Where are they getting their capability from? How are they upgrading their systems and hardware and software capabilities?” Seville said. “It creates this shared risk model that if we want any hope of getting an accurate view of our risk posture, we have to establish a very tight partnership with the people that we’re getting these capabilities from and establish that shared responsibility model for managing risk.”
