Pentagon issues FAQ on upcoming cloud procurement, but answers are few

Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

Few Defense IT acquisitions in recent memory have generated as much industry and public attention as the cloud computing project that’s come to be known as JEDI (Joint Enterprise Defense Infrastructure). Late last week, in one of only a handful of instances of public disclosure about the initiative to date, DoD acknowledged some of the questions that surround it, but didn’t do a lot to answer them.

For instance, what sorts of organizations has the Cloud Executive Steering Group that’s spearheading the project been meeting with? “Numerous” ones, according to the eight-item “Frequently Asked Questions” list DoD issued last week.

Advertisement

What has the CESG determined as part of its mandate from Deputy Defense Secretary Patrick Shanahan to examine the military’s existing cloud efforts and make recommendations? It’s too early to say.

How large will the JEDI contract be, and how many years will it cover? Again, TBD.

Perhaps most significantly, the department declined to add any detail around one of industry’s biggest concerns about the project: whether the new cloud contract will create a vehicle for multiple companies to handle DoD’s cloud needs, or whether it will wind up as a winner-take-all arrangement awarded to Amazon, Microsoft or another large vendor.

“The CESG is still assessing relevant data in an effort to determine final acquisition strategies,” Defense officials wrote, adding that they would lay out more details on those strategies at a previously-announced industry day on March 7.

The department acknowledged the authenticity of a November 2017 information sheet, first publicly reported by NextGov, which said that the JEDI contract would be a single-award contract. But, without elaborating, officials quibbled with anyone who would interpret that document to conclude the award would be made without a meaningful competition: it will be full and open, they insisted.

The referenced JEDI document does not mention sole source award; it mentions a single award. This is one of many draft documents used to spark discussion and debate in an effort to determine the acquisition strategy that will best meet the Department’s requirements. Most importantly the CESG is still in the analysis and fact finding phase of this process to determine how many contracts will best meet DoD’s needs.

However, the FAQ did provide a few glimmers of insight into the CESG’s thinking.

For instance, whatever form the JEDI contract takes is meant to be “additive” to the cloud migration activities DoD and its components already have underway. While the department plans to make it available to any military service or agency who wants to use it, it will not supplant or preempt anything those components are already doing.

Those statements are likely to provide some degree of relief to IT officials within the military services. Multiple government and industry sources told Federal News Radio that while the CESG has been asking a lot of questions about the cloud projects DoD already has underway, it has told them very little about its own intentions or how the JEDI project might affect their existing cloud efforts.

And 2018 happens to be a year in which there’s already a fair amount of cloud activity throughout the department, separate and apart from the JEDI project (although officials in the military services also acknowledge the deputy secretary’s direct interest in cloud has helped kick those efforts into high gear).

For example, the Navy recently delegated more authority to lower-level CIOs as one way to speed up its commercial cloud adoption. DoD also reached a potential $1 billion agreement earlier this month to support cloud migrations to multiple vendors. And MilCloud 2.0, the commercially-run successor to the Defense Information Systems Agency’s government-run cloud service is expected to earn a provisional authority to operate (ATO) for the highest levels of unclassified data (“impact level 5”) within the next several days.

That offering, operated by prime contractor CSRA but run inside DISA’s data centers, is expected to be 60 to 70 percent less expensive for Defense customers than the original MilCloud, John Hale, DISA’s cloud portfolio chief said in an interview.

“For MilCloud 2.0, we let a contract where the contractor is responsible for the hardware, the day-to-day operations and maintenance of the capability,” he said. “By picking a vendor who does it on a day-to-day basis, there’s a lot of cost savings there because they already have the capabilities in place.”
By the end of the year, DISA expects MilCloud 2.0 to be fully up-and-running, and also to have achieved an ATO to handle classified data. By that time, it will likely be one of three options DoD components have to choose from in addition to the JEDI project.

Amazon Web Services is likely to come first: It’s already built a secret-level “region” under a contract with the National Geospatial Intelligence Agency, and earned a joint provisional authorization by both DoD and the intelligence community for classified — impact level 6 — data. The DoD side of the accreditation was initially intended only for U.S. Transportation Command, which has been aggressively migrating all of its logistics systems to the commercial cloud.

“But the approving official who signed that provisional authorization has said that if there’s significant demand from other portions of the DoD for that capability, it can be opened up for other services,” Hale said. “Microsoft has also been doing the same thing with regard to Microsoft Azure for the federal government. So I think by the end of the year, you’re basically going to have three options: on-premises cloud, along with two off-premises cloud providers who can meet all of the requirements for secret-level data.”

Despite the department’s heavy focus on commercial cloud capabilities and the department’s confidence in vendors’ ability to keep critical Defense information safe, recently-articulated DoD policy also makes clear that there are at least a handful of critical security responsibilities the Pentagon is not ready to outsource, even in cases where it is longer directly hosting its applications or its data.

In a document the DoD CIO’s office distributed to Defense components late last year, the department laid out what it sees as ongoing “inherently governmental” activities for securing data in commercial cloud environments that will need to be performed by government cybersecurity service providers (CSSPs).

Among those responsibilities: DoD’s own cyber experts will still need to be in charge of running “red team” vulnerability assessments against systems that reside in the cloud.

Likewise, the government will need to retain its own expertise to notify mission owners when malware or security breaches are found in their cloud-hosted systems and deliver assistance, maintain classified information sharing relationships between CSSPs, implement urgent IT security orders from U.S. Cyber Command and monitor the “INFOCON” — or DoD’s own confidence level — in the security of any particular system.

Read more of the DoD Reporter’s Notebook.