Operational Readiness and Modern Cloud Services

What are the attributes of a ready force? And how much readiness is enough? The Department of Defense defines readiness as: “The degree of preparedness and responsiveness of our forces that allows me to deploy them with little notice in response to government direction. It’s the ability to get the right people, with the right skills and the right equipment, into the right place at the right time and to sustain that for as long as government requires.” They further go on to talk about “The capability of a unit/formation, ship, weapon system or equipment to perform the missions or functions for which it is organized or designed.” But what about asking it to perform beyond the functions for which it was designed? For that we need rethink how we deliver a capability.

The most basic element of understanding readiness is knowing what types of wars the military must be prepared to fight. This includes potential adversaries it could face; the capabilities these adversaries are likely to possess.

Figure 1: Data taken from Lawless, Cherwell. “COVID as a Catalyst: The Rise of the Remote Workforce.” Harvard Business Review OnPoint Winter 2020

For many organizations, COVID was a catalyst. It shined a light on organizational agility. That is, the ability of an organization to change – and change quickly. The ability to pivot, absorb and adapt has taken center stage in terms of organizational productivity. And this helps us to understand how very important “agility” is to operational readiness. Meaning, once we train and become “ready” – our ability to carry out our mission will be tied to how agile we are. We will not completely understand our enemy’s strengths and weaknesses. Our ability to fight and win will be predicated by our ability to pivot and make decisions faster than they do.

As seen above, productivity suffered for organizations that lacked agility. Conversely, productivity increased for organizations that embraced agility - those that practiced absorbing and adapting to new threats.

In 2020, the bipartisan Congressional Research Service published a report that explored the concept of readiness in more detail and identified three phases to the readiness-production process: (1) Building initial readiness, (2) increasing readiness, and (3) sustaining readiness. But if you break readiness down to “people” and “assets,” you see that people are capable of increasing their readiness; whereas assets (e.g., tanks, guns, trucks, planes, etc.) are typically in “sustainment” and actually depreciate. Traditional software development has been treated like a depreciating asset – but that’s changing. The latest approaches to developing, securing, and operating cloud solutions look to continue increasing capability, even after deployment. Getting into the field is seen as an opportunity to enter a new “iterative process” as seen in Figure 2 below where cloud-based solutions can “pivot and improve” to better support mission agility.

This military production line begins with untrained personnel and ends with a final product that is a capable military force (i.e., a military unit) in the form of ready warfighters. This linear “readiness production process” can be broken into three fundamental parts: (1) building initial readiness, (2) increasing readiness, and (3) sustaining readiness.

Modern cloud services can be seen in a very similar way – and offer advantages not seen in the physical world. For instance, after D-Day (deployment), can we ask more of an asset than what it was initially built to do? It’s impossible to add a new fire control system or depleted uranium armor to an M1A1 tank after it has been deployed. While an M1A2 variant can start back at step 1 and be built with these improvements, we know that a tank simply can’t pivot and adapt at this level in the field. Traditional software also fails to pivot and adapt after it is deployed.

Modern cloud services have an advantage here: When the development, security, and operational (DevSecOps) aspects of a cloud service are done right, we can consider updating production software in a continuous manner – securely and at a pace that improves readiness. This is where solutions can absorb, retool, and innovate: Increased mission agility.

Figure 2: The assembly line for readiness – “The Fundamentals of Military Readiness,” Congressional Research Service, October 2, 2020

Scalable “Infrastructure as code” was brought to us by the Hyperscalers (e.g., Amazon Web Services, Microsoft Azure, Google Cloud Platform, etc.). As applications were layered on top, three main types of cloud services emerged: Software as a service (SaaS), platform as a service (PaaS) and finally, infrastructure as a service (IaaS).

• SaaS – here we group all the enterprise applications services (e.g., Supply Chain Management, Enterprise Resource Planning, Human Capital Management, etc.). All the “back office” systems that form the core of how we manage and optimize assets.
• PaaS – the platforms we use to develop custom or specialized software. Think of these as advanced DIY kits to build the software that is unique to your organization – or that hasn’t been built to address your specific needs. This is about rapid application development of analytics or AI or truly unique, “tip of the spear” mission applications.
• IaaS – the “infrastructure as code” (IaC) layer from the Hyperscalers (e.g., Amazon Web Services, Microsoft Azure, Google Cloud Platform, etc.). This is the virtual set of services (compute, storage, networking, containerization, etc.) that transformed the “data center” into the cloud. IaaS supports automated builds to materialize a virtual set of servers, networks, firewalls, etc. in a consistent and rapid fashion.

The “break-through” moment and possibly the most important aspect of the cloud is how all of this is brought together, securely, efficiently, and continuously. The entire solution stack (e.g., applications, platforms, servers, etc.) is now code; code that can be scripted, managed, governed, monitored, audited, etc. This is a catalyst for software developers to completely rethink how software is developed, secured, and operated (DevSecOps). This is what allows us to quickly build and deploy innovation, securely – so that they can perform beyond what they were initially built to do. With its Continuous Integration / Continuous Delivery (CI/CD) Pipeline, DevSecOps can have tremendous impact to a solution’s mission assurance level.

• More Resilient: Automated build, from infrastructure to application. Dramatically better disaster recovery characteristics (i.e., Recovery Point Objective, RPO, and Recovery Time Objective, RTO)
• More Defensive: Addressing zero-day threats, quicker with automated scanning, patching, and deployment.
• More Offensive: Adding new capabilities on a daily basis. On the commercial side, vendors are releasing updates to production services daily. For them, constant innovation is the only way to stay on top.

Much like a modern assembly line, DevSecOps from SAP NS2 leverages automation as a force multiplier to seamlessly integrate the overall build process – and do it continuously. Traditional development and operations teams have long used a “many hands make for light work” approach. But manual labor with this level of complexity simply doesn’t scale. The goal is “lights out” automation – where automation takes care of setting up software and keeping it in a known good state.

Figure 3: SAP NS2, a Secure Software Factory – Transforming Commercial Innovation into Government Cloud Services

The traditional approach to building software resembles an isolated, single-family home. A single house could be built with its own power generation, well water, and septic field. A more efficient and effective approach would be to build your house in a community where you’d share utilities and infrastructure. Given the economies of scale, the price to build, run, and maintain a home within a community would be cheaper. The shared services (e.g., electrical grid, water, sewer, etc.) would likely be better, too. Benefits would apply to security as well with a larger, dedicated, and better equipped police force; something an isolated home just couldn’t justify. When this analogy is put into the world of cloud computing, we refer to this as single tenant (house) vs. multi-tenant (community of houses). In Multi-tenant SaaS, many agencies (cloud tenants) can share application services without sacrificing security or their uniqueness. Vendors can invest more for a community solution than single tenant solution. With this larger investment comes better security, better support, and continuously updated software.

Should we be concerned with the security of multi-tenant SaaS? No. The U.S. Federal Government has paved the way for shared services like this with their overarching security framework for cloud services, called FedRAMP – Federal Risk Assessment and Management Program. It is based on the National Institute of Standards and Technology (NIST) specifications for a Risk Management Framework (RMF) and a set of security controls. The security controls map to increasing levels of data security and can be inherited. For example, SAP NS2 adds application specific security controls on top of the AWS infrastructure security controls for a combined security assessment and authorization. This authorization is common / acceptable to all U.S. Federal Agencies for unclassified cloud solutions and delivers on FedRAMP’s goal of providing a streamlined and standardized process, called their “Do Once, Use Many Times” model. This helps all agencies accelerate their modernization efforts.

SAP NS2 currently operates three multi-tenant, community clouds for SAP SuccessFactors – a Human Capital Management Solution. SAP NS2 receives the base innovation from the “parent,” SAP, then transforms it into a secure, government cloud SaaS. DevSecOps / Automation investments are leveraged across all environments with increasing NIST security controls to support higher levels of data protection. In this way, a CI/CD pipeline is setup to pull from the $5B R&D spend of a global commercial company and deliver it securely to the U.S. Government.

Figure 4: SAP NS2’s Secure Software Factory leverages investments to serve 3 government markets

SAP offers a broad portfolio of secure and agile cloud services for government. Two enterprise solutions in particular support military readiness: digital supply chain technology (DSC) and human capital management technology (HCM). Both have proven to be extremely important over the last two years with the global pandemic; Both are developed, secured, and operated in the SAP NS2 Secure Software Factory.

Supply Chain Management and the “Digital Twin”

SAP NS2’s digital supply chain technology (DSC) helps get the right people, the right assets, to the right location, at the right time. In the past, complex problems like readiness have been broken into smaller concepts that execute in isolation, which has led to led to functional silos. Unfortunately, software built under this framework has been designed to address the functional needs of each independent silo. SAP’s DSC solution overcomes siloed approaches. It’s built around a comprehensive, end-to-end view. From the supplier to the consumption point and everything in between, we focus on agility productivity, connectivity, and sustainability.

A digital twin is a virtual model of a supply chain. SAP’s application provides a complete view of the entire supply chain in real time: Inventory levels, equipment in transit, demand and consumption profiles, and more. Each group in the value chain has its own view, with predictive capabilities that allow for the evaluation of different scenarios. For example, what if a port is closed or a supplier is offline? SAP’s DSC technology also incorporates AI and ML. The AI component represents the experience of experts in modeling and automating aspects of the supply chain. The ML component actively shapes the algorithms for continuously improving performance so that, ultimately, the warfighters receive the right equipment at the right time. Information such as cargo delays in geographic areas of concern.

Readiness and Human Capital Management

The military’s ability to build, increase, and sustain readiness always comes back to its people. Readiness depends on having the right people with the right competencies and experience in the right places at the right time. SAP offers an integrated talent management solution that focuses on recruitment, onboarding, performance, goal setting, and development. It feeds off a common “competency data pipeline,” so that decision makers can tie dashboard insights to an overall state of readiness. For example, comparing expected with actual competency ratings, they can discover competency gaps across the entire organization. Or they can use Workforce Analytics to correlate competency data with retention and better understand their training or recruitment needs.