US Navy: IT Transformation at Scale

Michael Krigsman: My guest co-host for today is my old buddy and a regular here on CxOTalk, Dion Hinchcliffe. Dion, how are you doing?

Dion Hinchcliffe: I'm doing fantastic, Michael. Thanks for having me on again. Today, we have a very special guest, indeed. I've been looking forward to this for a long time. We've got Tony Joyce, Deputy CIO Naval Facilities Engineering and Command of the U.S. Navy. We're going to talk about all sorts of things. We do a lot of public sector here on CxOTalk, but I think this is probably the first military guest, right? It'll be interesting to hear those stories and how IT works in that world.

Michael Krigsman: Yeah. Tony Joyce, how are you? Tell us about NAVFAC, and tell us about the Navy and your role.

Anthony Joyce: NAVFAC is probably best thought of when you look at all the buildings. The shore infrastructure is really the secret buzzword for what NAVFAC does: the buildings, of course the planning, land acquisition, and everything else associated with that; environmental activities on the shore, cleanup or remediation, ranges, and things like that are also part of our mission; the whole public works function for the buildings that the Navy owns. There are over, I think it is, 2 million acres and well over 100,000 buildings and structures of interest on the shore that we manage or support in various ways. Of course the construction of that over the last roughly 125 years has been handled by NAVFAC or its predecessor organization. We also are the parent organization for the CBs and, of course, they have a long and legendary history behind them.

Dion Hinchcliffe: NAVFAC, do you guys supply IT for all of those facilities and the CBs?

Anthony Joyce: We do have systems that support the utilities management, utilities metering, utilities monitoring, energy management, [and] some newer stuff that's associated with smart grids and things like that, so a lot of IoT in that infrastructure. [We] can't forget the buildings and the HVAC controls, some monitoring systems for environmental purposes, [and] various other things that are part of that industrial control environment that surrounds the building.

Again, as the technical authority for the shore infrastructure, it is our primary mission or one of our missions--we have several missions--for cyber security purposes is making sure all of those controls and that building systems are effectively isolated, managed, updated, [and] supported.

Dion Hinchcliffe: Is this a global facility management mission? Does the sun never set on NAVFAC, or how does that work?

Anthony Joyce: Yeah, we are a global organization. Of course, our mission is associated with where the Navy has activities. The Navy has about 100 bases, and so we have well over 100 delivery points of where we have large organizations and small.  In some cases we have three-, four-, or five-man offices where new construction is being done in foreign countries; but in other cases, the Norfolk area, we have a substantial presence. The Washington area, we have a variety of activities. And so it's a large and diverse community.

Overall, there are about 20,000-plus people in NAVFAC. In particular, my role in the organization is the information and business systems of the organization. One of my colleagues is the manager of the industrial control environment and the systems that are going into those buildings or that are necessary to secure them. I have a different colleague who is responsible for our cyber securing activities themselves as an authorizing official for that.

Dion Hinchcliffe: You provide the business systems that includes the digital workplace for those 20,000 folks?

Anthony Joyce: The digital workplace that we use is the Navy's Navy Marine Corp. intranet, which is a very large network: approximately 0.5 million seats scattered across the United States, covering the Navy and Marine Corp. Approximately 100,000, I think, Marine Corp., so the majority, 3,000 to 4,000, are Navy seats. Of course, NAVFAC doesn't own that. The whole system is an outsourced contract. Rather, system is not the right term. It's a services contract that provides us with our desktops, and our desktops are fully managed under that construct, are secured, [and] are appropriately detailed. One of the things that one of my teams does in my organization is ensure that we have the desktop software that people need and ensure that it is adequately tested, secured, and suitable for use on the desktops within this environment.

Michael Krigsman: When you think about the cloud, how do you grapple with that concept? How do you think about migrating to the command? What do you migrate? What about the training? You're dealing with a lot of people, and there's a lot of complexity. I don't think most of us watching recognize that kind of complexity, so shed some light on that for us, would you?

Anthony Joyce: We see the cloud as being easier to manage and easier to run. I think the cloud services that we get--if you will, platform as a service or software as a service--are generally better integrated and more effective than some of the traditional services that are heavily client server-based, which is probably the majority of our technology, although we have a mainframe, IBM mainframe, that's running one of our major financial supporting applications, a project management tool. We have externally hosted systems at other data centers that are there for various historical or other reasons. Collectively, when one looks at the architecture of our system, we have a rather complex as-is environment because there are several technology stacks that support these applications. Again, we've been at this for a while. We did, essentially, a consolidation of a variety of regional systems and individual environments into our enterprise data center in roughly a 2010 timeframe or a bit before, and had been running a centralized hosted, centrally maintained set of systems and services out of our specialty center that does that.

Michael Krigsman: Tony, when you came up with the idea, initially, of moving some of your applications to the cloud--and I realize that, for you, 1,500 internal users plus a bunch of contractors is a relatively small pilot. Did you have resistance internally to the cloud? What were the considerations for that?

Anthony Joyce: There isn't, per se, resistance to the cloud. The difficulties I think we have in getting to the cloud is really the securing of the systems and the services. As part of BOD, we are subject to BOD's information assurance controls and requirements. Cyber security is the slightly more modern term for that.

There are hundreds of controls that we must assess and, in many cases, test in order to ensure that these systems are suitably protected, secured, [and] operational. They cover a whole bunch of different areas, so it's not purely for security, but it is the experience of many years of evaluation of different pieces of software and the different components of our system. And so the implementation of systems within that regime turns out to be pretty hard. Securing, say, the database; we use Oracle. We install the software, apply the patches, [and] do the STIGs. By the time you get through all of that, it turns out that various functions may not work as expected, and so there is a lot of effort and engineering involved in getting these systems to operate properly within this secured environment.

Dion Hinchcliffe: Yeah, you're describing a complicated environment that I think most people in private sector IT couldn't begin to imagine. I think probably your bar for cyber security is far higher. You've got systems of systems, so clearly are doubling down on the industrial Internet and have IoT. You're trying to do this in a kind of verified environment. What can you tell us; what's unique about NAVFAC IT that we wouldn't expect, we wouldn't necessarily think about or have to experience in private sector IT?

Anthony Joyce: Well, I think what is unique about our IT is that our diverse systems, which are really several different technology stacks and different applications, are functioning well together. We have people that are using our financial management system one morning and then going into our project management tools, going into our contracting tools, going into reporting tools, moving over to a GIS, and we have managed to both build all these systems and make sure they were working within the environment, but also make the information available so I can link over from my reporting tool back to some of the financial records, source records, or documentation that might be necessary.

Dion Hinchcliffe: Information sharing has always been one of the big desires in government information systems. But, as you well know, the security challenges you have in that information sharing makes that difficult. Is that something that you've faced? Is that something unique, compartmentalization and other things, that are common in the public sector environment, but we wouldn't necessarily see elsewhere?

Anthony Joyce: Yes, it is. It is. It's actually rather difficult to achieve because our desktops, in particular, are secured, fortified. The whole NMCI environment is heavily secured. I can't install software on my system, so I have to use only tested software.

Then the ability of my desktop, say, to connect to a reporting tool is purely through a Web browser. I can't DDE or OB, you know, a CD type or other sorts of data connections that people have come to rely on. Trying to use some desktop software to access a database is not permissible or possible within this environment because of the intense security.

Michael Krigsman: How do you balance the need to have a good user experience in such a locked down environment? Is user experience a concern, or where does that fit?

Anthony Joyce: User experience is a concern with all of our systems, as part of our production process. We have multiple environments for our systems, and so we have a development environment where there is a lot of freedom to set this stuff up. But as we move through a promotion process, we go through from development to a testing environment, which is very close to what our production environment is. We go through user acceptance testing in that environment to ensure that the system does what the user wants it to do. It's not until we have accomplished most of that testing--I mean no testing is perfect--until we have satisfied the user criteria and the user testing that have been required for a particular system change, it's not until that occurs successfully that we allow the software into production.

We have this pipeline built, and we work our systems, a majority of our systems, through it. Our mainframe is a little bit different, a little different constraints. One of the external systems does things a bit differently, and so there are some variations. But for the 20‑some business systems that we support out of our hosting center on a regular basis, we go through this for all of those systems and their routine change management production, promotion, and development.

Michael Krigsman: The user dimension of this is mostly focused on--and I don't want to put words in your mouth--ensuring the right functionality layered with the right security, essentially.

Anthony Joyce: Well, it's ensuring the right functionality works within a secured environment. The right security is actually something that is probably more evident in documentation. It's something that we are doing more documentation and more elaboration on in the course of preparing for audits of our financially relevant systems.

We have seven systems that have been deemed financially relevant that provide transactional or critical property accounts to the financial, the actual accounting systems. As part of the Navy's assessment of the balance sheet, which is being reviewed by independent auditors, there is a set of requirements that are imposed on us to describe, document, and test our financially relevant systems to meet a series of the FISCAM required controls and standards for these systems.

Dion Hinchcliffe: I'd love to talk about that. The whole governance model for that must be something to behold. A hot topic, as you know, in our industry right now is this whole conversation around digital transformation. Obviously you're isolated from some of the pressures that other organizations.

You've got a mandate, and you own that mission. What can you tell us? Are you guys embarking a similar kind of parallel public sector version of digital transformation? What are your goals and plans that you can tell us about? How is that process going?

Anthony Joyce: I'm not sure we have gotten to that stage yet. We are certainly looking at it. The Navy logistics community has stood up an effort to look at that throughout the logistics community, but it's a bit early. We haven't gotten into any actual attempts at transformation.

Where we have been the last couple of years and probably will be the next two years, is data center consolidation and, again, moving or preparing our operations in order to move into a cloud environment or even multiple cloud environments because we don't necessarily see that a single cloud environment will suffice or, as we go through competition as part of our contracting efforts, we may find ourselves in multiple cloud environments as a result of competitive […].

Dion Hinchcliffe: I think shifting to the cloud is certainly a first step in some kind of digital transformation. We see organizations doing one of two things: focusing much more on getting access to the data, improving analytics, and starting to foray into things like artificial intelligence--whether or not you'd believe that's a real term or not--or on customer experience. You were talking a little bit about usability. Are those areas of interest? Are you maturing that focus? Are you still really working on service delivery as your primary mission?

Anthony Joyce: A lot of our effort currently is in the analytics space, and so we are working on building out our reporting environment, enterprise information. We are in the process of building a logical data warehouse that will permit the analysis of data across a variety of different fields. Financial information is one of our stacks. Our property in geo spacial information is another stack. The utilities and energy consumption and related activities, and then over into budgetary and financial information, particularly labor and other types of service information are all kind of separate operational data sets or operational data stores.

We've embarked on an effort to tie those all together into what really is a logical data warehouse as opposed to some of the more traditional data warehouses of Bill Inmon or other forms, if I might. Logical is probably not particularly well understood, and so it is cutting edge and a fair amount of work to bring all these data sources into this construct and make the analysis effective and efficient. This isn't really a big data environment, which I think some people go to, which is just a data lake; throw everything in, or put it on a cloud system. That is something that perhaps has some usefulness here, but we don't have an opportunity to build that within our hosted environment, and it make require us to get into the cloud in order to use a data lake type non-structured environment in order to do this analytics more efficiently and more effectively. Not really, I think, quite come to terms with the digital transformation that I think some of the leaders are getting to. We're not that fast.

Michael Krigsman: We have a question from Twitter, which Arsalan Khan is asking, how useful are not has been the DoDAF, the DoD Architecture Framework for NAVFAC culture? I guess it's a question about the link between an architectural framework, a technical framework, and the organizational culture. Is there a link there?

Dion Hinchcliffe:  Yes. DoDAF is a big deal in certain circles in the D.C. area, for sure.

Anthony Joyce: Yes, the DoD Architectual Framework. We are required to assess our business systems against the business enterprise architecture, which is a large portion of the DoDAF framework. I am not sure how that really relates to culture. I have found that culture is more the behavior of the organization as opposed to a particular static construct.

One of the things that I think NAVFAC has and serves well in terms of culture, as I mentioned, is the CBs are a part of our community, and the CB motto of "Can do," I think permeates the rest of the business. We have built the system and manage our IT, I think, equally effectively. We have found a way or find ways to do things. Presented with a particular requirement, we managed to buckle up and get the work done. I think the culture, again, is what you do, not what it looks like or how you put it down on paper.

Dion Hinchcliffe: Tony, I'd be curious to know. We talked about the digital transformation of IT, moving to the cloud, and building on the analytics, but really the hard part is changing the people. How are you attracting the next generation of IT talent? You have some mission critical things that you guys oversee. Certainly, on the cyber security side, you're going to be facing some of the smartest people in the world who are going to be trying to do their best to compromise the work that you do. How do you staff up for that? How do you attract that talent?

Anthony Joyce: Well, we are hiring cyber talent as fast as we can. In fact, I think there are two positions open currently. Our positions are available out on USA Jobs. Specifically, if somebody goes to the NAVFAC homepage, www.navfac.navy.mil, you'll find links there to our job section, job announcement, and that'll take you over to the USA Jobs, which is the actual record of all jobs. But it's hard; it's a challenge.

Dion Hinchcliffe: Are you guys competing with the Amazons and Facebooks who are soaking up a lot of the best talent in the world right now?

Anthony Joyce: Well, I'm not sure that it's a level playing field because the government doesn't have the ability to offer the salary that the Amazons and the Facebooks have.

Dion Hinchcliffe: You have a more important mission. Why a lot of people go into public service is not because of the pay, but because they think that they're defending, you know, what's good and what's right, helping people, or whatever it is.

Anthony Joyce: The public service is definitely an attractive component, as is the mission. Depending upon where people are, we may not be competing in the same regions as Amazon and others, and so that may provide us some leeway. We have perhaps some less populated cities or less expensive cities where we're hosted than Silicon Valley, so we do have some opportunities for that.

We actually, I think, have a lot of opportunity for younger people. I know we have an intern program. We have an ability to encourage and get people, I think, coming out of school into the government, and there is a lot of interest in working in that space in order to capture people, to get them interested early in some of this important type of stuff. Certainly cyber security is being taught in school; and bringing folks right out of school into our environment is, I think, an easy path into the government to help people learn because we have plenty of work to do.

One of the things that is, I think, the selling point is, I've got 100,000 buildings we've got to secure. It's going to take us a long time to get there. It's semi-permanent work if people are interested in pursuing it. But that's not the only point. We have a variety of things going on. As I said, we can bring people in on our data center, our operations, our support of our systems, [and] on the cyber security, so it's not just cyber security.

Michael Krigsman: What are the key IT related, technology related challenges that you see coming down the pike?

Anthony Joyce: One of the challenges is certainly the data management and analytics, making that easier, making ad hoc querying effective. The whole arena of unstructured data and unstructured data management also is key because a large part of what we do and a lot of our data is captured inside contract documents or various reports, financial documents and such. Even in this day and age, the government exists largely off of paper. A large part of the auditing is to ensure that the business processes also have the key supporting documentation. As part of the independent audit team, they've been going out and looking for documentation about the building that may be 20-, 30-, or 40-years-old to determine that the air conditioning system was properly acquired and the building was properly constructed or things like this.

There is, I think, an awful lot of opportunity in finally getting data out of the paper, which I am still not too sure that I have seen too many successful technologies that do it because most of them require manual metadata collection.  How do we automate that metadata? How do we discover the patterns between different types of documents? If I can pull the document out of the file, is that a maintenance manual? Is that a contract? Is that something else?

Dion Hinchcliffe: What advice would you have for corporate managers that are heading in that direction, a large, global organization, getting their analytics house in order as they grow and embarking on things like Internet of Things initiatives?

Anthony Joyce: One of the things we need to focus on, and we hadn't really talked about that as a technology, is mobile, because all this stuff is not really sitting on a desktop any more. How do we get it out in the field on mobile devices, people's phones, and so on? There are certainly user issues about how do you handle large volumes of paper on little, tiny iPhone screens.

One of the things that we are doing is looking at that environment and looking at what our requirements are. How do we get different tools, better tools? How do we mobile enable our systems?

I think, for the managers, there is a need to orient a bit further out. What is a purely mobile environment going to look like and how is that going to affect the sorts of services, really the back office services, that I as a CIO--?

Dion Hinchcliffe: Mobile is a really big challenge. Are you guys heading in a mobile first direction? Is that how important it is for you? I guess you have a lot of field people.

Anthony Joyce: That's correct. Yeah, we've got about 5,000 field people out of our 20,000-plus population. They are not well served with desktop machines, and so that's an area we're putting a lot of attention in supporting them and providing them.

Sorry. Back to our question about hiring and bringing people in. Mobile, too, would be an area that we would hope to bring people in to help us with. That's a definite growth area throughout the government.

Dion Hinchcliffe: Many organizations are behind in mobility, for sure.

Anthony Joyce: That's correct. We're looking to get rid of our mainframes because the expense is just outrageous. How do we transform our financial system is actually something that's coming up in the very near future.

Michael Krigsman: We have one final question. This is from Naomi Williams, who is not on Twitter, but she's on the Livestream platform. Very quickly, because we're almost out of time, what are your thoughts on replacing Microsoft Office on desktops and using Google Suite for government instead?

Anthony Joyce: It's something that we have to contemplate. Again, we are under federal acquisition regulations, and our ability to maintain a particular environment or go to a particular sole source, or single source, is limited. We always have to think about adaptability. We can't let ourselves get locked into technology too deeply because, in our acquisition world, we may not be able to get it. Every time we go out for a collection of services, and particularly on the large-scale ones, there is a high chance that somebody may be coming in. The next contractor in the NGEM maybe is NGEM competition could well bring in a different office suite. All of a sudden we find ourselves with 20,000 users that we have to help adapt. That is a part of life in the government and a part of the business that we, as government managers, have to rely on.

I think industry is perhaps a little spoiled in that they can keep going buying Office forever if they choose to do so. The government is not nearly so lucky, and so it does present some challenges to us. In conclusion, if I may, one of the probably better parts of working in the government--for those who are interested in doing so--is that there is no lack of challenges in our day-to-day job. It doesn't run out.

We never have enough money. We never have enough time. We face the competition, a competitive system, and outcomes that we can't expect. We're heavily leveraged with outsourced contractors or with services from other organizations. It is an interesting intellectual challenge, and it keeps us busy.

Michael Krigsman: All right. On that note, we are out of time. You have been watching Episode #260 of CxOTalk. We've been speaking with Tony Joyce, who is the deputy CIO of the Naval Facilities Engineering Command; and my illustrious guest co-host today has been Dion Hinchcliffe. Dion, this has been a very interesting and in-depth conversation about a sector of the world that we don't always hear about.

Dion Hinchcliffe: Absolutely. It just shows how varied the world of IT can be. I think that more crosspollination should happen between commercial and public sector IT.  We have a lot to learn from each other, so thank you, Tony, for sharing all of your knowledge with us today.

Anthony Joyce: Thank you, both. Glad to help.

Michael Krigsman: Everybody, we have two shows next week. Tune in on Tuesday and on Friday next week. Go to cxotalk.com, and you can see our upcoming episodes. Thanks so much and have a great day. Bye-bye.