It is time! It is time for me to say goodbye to the Department of Defense and the Department of the Air Force.
It has been an honor serving as the first Chief Software Officer in the U.S. Government and particularly in the Department of the Air Force.
It has been the most incredible journey for me – I have had the chance to meet and work with some of the most incredible people in all my 22+ year career.
This job certainly was not easy, probably the most challenging and infuriating of my entire career. Yet, I recognize this work as being the most impactful for our children’s future and the most rewarding for me.
When I started back in August 2018, my wife was 7 months pregnant with our first child. I am certainly not the first father to say this, but this single event changed my life and my view of things.
In 2020, my wife and I welcomed our twins during the interesting times of a global pandemic that continues to disrupt our lives and the world more and more every month.
I realize more clearly than ever before that, in 20 years from now, our children, both in the United States’ and our Allies’, will have no chance competing in a world where China has the drastic advantage of population over the US. If the US can’t match the booming, hardworking population in China, then we have to win by being smarter, more efficient, and forward-leaning through agility, rapid prototyping and innovation. We have to be ahead and lead. We can’t afford to be behind.
Timeliness is foundational to both AI/ML and cybersecurity, but also for enabling the delivery of capabilities at the pace of relevance. That is where DevSecOps came in. We created the DoD Enterprise DevSecOps Initiative, certainly the largest DevSecOps engagement in the world, within the most complex organization in the world.
If I had listened to detractors (and even some of the well-intended folks of DoD), we would have never even started. Allegedly, it was impossible for the Department to evolve and make a significant change like this.
We demonstrated that a small group of people can turn the largest ship in the world through grit, wit and hard work. If the Department of Defense can do this, so can any U.S. organization!
In only 3 years, we were able to:
– Create the largest Community of Practice for DevSecOps with the “DoD Enterprise DevSecOps Initiative” and release the DevSecOps Ref Design to the world (even version 2.0 recently!) (https://software.af.mil/dsop/documents/)
– Create the first DoD Enterprise DevSecOps Managed Service: Platform One with the most incredible DevSecOps team, ever! (https://p1.dso.mil)
– Open source the Platform One DevSecOps architecture and Platform One DevSecOps Platform (Big Bang) and its code on Repo One, the largest DoD contribution open source in U.S. history (https://repo1.dso.mil)
– Create the first large scale implementation of Zero Trust in the USG with Cloud Native Access Point (CNAP) moving from obsolete perimeter security principles to a Cloud agnostic, elastic zero trust implementation with data centricity and software defined perimeters at its core. We just released its Ref Design (https://software.af.mil/wp-content/uploads/2021/08/CNAP-RefDesign_ver-1.0-Approved-for-Public-Release.pdf)
– Award the DevSecOps Basic Ordering Agreements contract vehicle to enable the acquisition teams to move at the pace of relevance
– Engage industry more than ever before by ensuring both the existing Defense Industrial Base and new startups/companies can do business with DoD faster than ever before, all while sharing and answering questions during a dozen Ask Me Anything events, with a total audience live of over 10,000 people.
– Bring Kubernetes on weapon systems, including jets and space systems, where we demonstrated that containerization was not only possible but game-changing on Real-Time OS and legacy hardware.
– Bring the most advanced cybersecurity stack with the Sidecar Container Security Stack (leveraging the first widespread implementation of a Service Mesh in the USG) with Zero Trust enforcement down to the container level and Behavior continuous monitoring detection and prevention.
– Built the first .MIL Cloud-native DNS capability hosted on Kubernetes with coreDNS and using Configuration as Code in Git!
– Build a coalition of the willing for DevSecOps across all DoD Services including the Navy, Army, Space Force, Air Force, and 4th estate
– Move some of the largest DoD weapon systems to Platform One
– Save 100+ years of planned program time by moving key weapon systems across DoD to DevSecOps
– Push over-the-air software updates to weapon systems (U-2) while flying the jet
– Bring AI/ML capability to the jets to co-pilot the jets alongside our Air Force pilots
– Deliver faster, better quality and more secure software with incredible DORA metrics numbers comparable to some of the most mature DevOps teams in industry.
– And much more!
Some of you will wonder “Why now?” Certainly, with all that is going on right now, it is far from the best time.
– The right time will never really come. I will always feel some guilt or regret in leaving. I have this sinking feeling that I am letting our warfighters, the teams, and my children down by not continuing to fight for a better outcome 20 years from now…
– I certainly cannot complain or compare myself to the sacrifices of our warfighters, but I am missing a lot of milestones and time with my children, and they are not waiting for me to grow up.
– Most of you have probably seen the recent article (https://www.airforcemag.com/air-force-leadership-chief-software-officer-devsecops/) where I expressed that I’m tired of hearing the right words without action, and I called on leadership to “walk the walk.”. That includes funding, staffing and prioritizing IT basic issues for the Department. A lack of response and alignment is certainly a contributor to my accelerated exit. There have been continuous and exhausting fights to chase after funding “out-of-hide,” because we are not enabled to fix enterprise IT teams within Program Offices. Worse, some are starting to use the size of the DoD as an excuse to claim that Enterprise Services cannot succeed in the Department. That is false and we have demonstrated it with Platform One. The Department of Defense, overall, needs to stop staffing Enterprise IT teams as if IT is not a highly technical skill and expertise.
Please stop putting a Major or Lt Col. (despite their devotion, exceptional attitude, and culture) in charge of ICAM, Zero Trust or Cloud for 1 to 4 million users when they have no previous experience in that field – we are setting up critical infrastructure to fail. We would not put a pilot in the cockpit without extensive flight training; why would we expect someone with no IT experience to be close to successful? They do not know what to execute on or what to prioritize which leads to endless risk reduction efforts and diluted focus. IT is a highly skilled and trained job; Staff it as such. I told my leadership that I could have fixed Enterprise IT in 6 months if empowered. Yet with my 22 years of expertise running IT innovation, I was underutilized and poorly leveraged by the DOD, as most of my time was wasted trying to convince folks to engage with me and consider more relevant and efficient solutions, while I watched as they continued to deliver capabilities that do not meet the basic needs of our warfighters. The DoD should stop pretending they want industry folks to come and help if they are not going to let them do the work. While we wasted time in bureaucracy, our adversaries moved further ahead.
– The DoD is still using outdated water-agile-fall acquisition principles to procure services and talent instead of leveraging “Capacity of work” agile contracts to staff teams. Improving acquisition ensures teams have the ability to groom their backlog and move at the pace of relevance. Only Platform One, and teams like Kessel Run, are truly end-to-end agile, from what I have seen to-date.
– I am becoming “technology stale”. With so much distraction just trying to push the laggards, I have stopped learning and engaging in innovations: I have been innovating and creating world premieres my entire career, over 189 of them.
– Lauren Knausenberger, Chief Information Officer for the Department of the Air Force, and I are still largely unempowered to fix basic IT issues, we are running in circles trying to fix transport/connectivity, cloud, endpoints, and various basic IT capabilities that are seen as trivial for any organization outside of the U.S. Government. Please empower her. She can get things done faster than nobody else I know.
– But one of the main reasons for my decision was the failure of OSD and the Joint Staff to deliver on their own alleged top “priority”, JADC2 – they couldn’t “walk the walk.” I put my reputation on the line when I shared that I was asked by the Joint Staff to join the JADC2 team as their CSO. They wanted me to help deliver a Minimum Viable Product (MVP) within 4 months so that we would finally have a tangible deliverable to show for JADC2, not just redundant and siloed work performed by each of the DoD services or vaporware/stale documents. After a massive undertaking and development of a scope of work, based on demands from our warfighters and COCOMs, I had just started the work and built-up excitement with teams and our mission partners, when I was told by the Joint Staff that there was no FY22 funding to support the MVP after all. After all the talk and continued assertions that this was critical work, DOD could not even find $20M to build tremendously beneficial warfighter capabilities. A rounding error for the Department. Never has my “walk the walk” remark felt more relevant. We had to wait for FY23 funding…
It seems clear to me that our leaders are not aligned with our vision in pursuing agility, the importance of DevSecOps, continuous delivery of capabilities, nor, most importantly, the need to fund teams, like Cloud One and Platform One, that are making things happen for the Department, and is a catalyst for change across the Government.
In fact, they have repeatedly refused to mandate DevSecOps, not even for new starts in custom software development! There is absolutely no valid reason not to use and mandate DevSecOps in 2021 for custom software. It is borderline criminal not to do so. It is effectively guaranteeing a tremendous waste of taxpayer money and creates massive cybersecurity threats but also prevents us from delivering capabilities at the pace of relevance, putting lives at risk, and potentially preventing capabilities to be made available when needed whenever world events demand, many times overnight. We witnessed the benefits of DevSecOps thanks to the amazing Platform One team with incredible delivery of capabilities during the global pandemic and even recently with the situation in Afghanistan. DoD must do better.
Instead, we hear the leadership talk about Zero Trust implementations without our teams receiving a dime of funding to make it happen. Particularly interesting when I pushed Zero Trust 5 years ago at DHS all to hear the NPPD leadership refuse to implement it and continue the status quo with outdated programs like Einstein, CDM and the TIC thereby putting our nation at tremendous risk. My team and I ended up creating the Cloud Native Access Point (CNAP) in early 2020 with funding out-of-hide, in 45 days, and yet I heard the DISA Chief Engineer at the time tell me he wasn’t sure about this “Zero trust thing yet.” Now they are allegedly ready to embrace it and create a Zero Trust capability for the entire DoD, but of course without reusing a single piece of CNAP. Why waste more taxpayer money playing catch up? The “not invented here” syndrome is powerful in DoD and our leadership is not willing to stop it.
I, as have many of us, have been trying for 3 years now to convince various teams to partner and merge work across the Department. We don’t need different stacks just for the sake of egos. There are 100,000 software developers in the DoD. We are the largest software organization on the planet, and we have almost no shared repositories and little to no collaboration across DoD Services. We need diversity of options if there are tangible benefits to duplicating work. Not because of silos created purposefully to allow senior officials to satisfy their thirst for power.
Unfortunately, more often than not, I have failed at convincing teams to merge work, or it was so painful that it was designed to fail from day 1 and then used as an excuse not to try again. Some of it, without a doubt, is my fault but I know I certainly tried harder than most of these teams combined.
At this point, I am just tired of continuously chasing support and money to do my job. My office still has no billet and no funding, this year and the next.
As I depart, I will not be able to list all the incredible people that have made this work possible and helped us achieve all the things we talked about, the list is way too long, and I would be worried I would forget some. But with all we have conquered together, they know who they are, and I, and our nation, thank them!
People will be asking what is next for me, the short answer is: more time with the family and some deserved peaceful sleep knowing that our nation is more secure thanks to the work we did!
Of course, I do not plan to sleep for too long, I will be exploring rejoining boards and … who knows! Stay tuned!
Thank you for your help in making this happen, please stay safe.
God bless us, and God bless the United States of America.