Lawmakers want answers about Pentagon’s increasing reliance on Microsoft

Members of Congress sent a letter to the Pentagon on Wednesday asking about the department’s push to begin implementation of Microsoft’s most expensive licenses, known as E5, across all components starting next month.

The Pentagon is considering mandating all department offices to implement the full suite of Microsoft 365 E5 licenses across their Non-classified Internet Protocol Router Network (NIPRNet) within the next 12 months as part of its effort to achieve the target level of zero trust by 2027, according to a draft memo first obtained by Axios. 

In a letter, Sens. Eric Schmitt (R-Mo.) and Ron Wyden (D-Ore.) said they are “deeply concerned” about the department’s decision to expand the use of Microsoft software and that it is “doubling down on a failed strategy” of increasing reliance on the company’s products.

“Although we welcome the department’s decision to invest in greater cybersecurity, we are deeply concerned that DoD is choosing not to pursue a multi-vendor approach that would result in greater competition, lower long-term costs, and better outcomes related to cybersecurity,” the lawmakers wrote.

“Cybersecurity should be a core attribute of software, not a premium feature that companies upsell to deep-pocketed government and corporate customers. Through its buying power, DoD’s strategies and standards have the power to shape corporate strategies that result in more resilient cybersecurity services. When the DoD demands sophisticated cybersecurity products, there are not only positive effects across the U.S. government but also beneficial consequences across the public and private sector.”

If the memo is signed, all DoD components would have to begin their implementation process by June 3 and fully finish the transition by June 2, 2025.

“With the future department-wide implementation of Microsoft E5 on NIPR, the department will ensure zero trust implementation is achieved at the [zero trust] target level by fiscal 2027, reducing our attack surface, preventing adversaries from moving freely throughout our networks and further protecting our critical data,” the draft memo reads.

Microsoft has been under fire for failing to prevent a high-profile hack of government email accounts by a state-backed Chinese group last summer. The Department of Homeland Security’s Cyber Safety Review Board concluded that the breaches were “preventable and should never have occurred.”

As Congress is probing the breaches of email accounts of senior U.S. officials, Microsoft is briefing the federal government on its plan to tackle security challenges that have plagued the company in recent years. Brad Smith, Microsoft’s vice chair and president, will testify before Congress about the latest series of serious cybersecurity incidents and the company’s efforts to improve its internal practices next month.

In addition to security concerns, the department’s overreliance on one vendor hinders innovation and “results in wasted taxpayer dollars,” said Schmitt and Wyden.

“The risk is that you’re singling up on a single vendor for these products. You have no heterogeneity in your ecosystem. And if there’s a systemic flaw, it might cut across all of these products. If you can single up on one vendor without any competition, how can you expect to get the best of breed? And the answer is that you can’t expect to get the best of breed.  That is something that should be a concern to the Department of Defense. And for better or worse, Microsoft does not have the best track record,” David Mihelcic, former chief technology officer for the Defense Information Systems Agency, told Federal News Network.

“That should be something that Congress is pushing DoD and the rest of the federal government to examine as well,” he added. “Why have they made themselves completely captive to one vendor for a whole slew of capabilities that can be acquired elsewhere?”

The lawmakers are asking Pentagon Chief Information Officer John Sherman to explain the rationale behind the decision to mandate implementation of the E5 suite as the senators are preparing to mark up the 2025 defense policy bill next month.

They are also asking the department for their reasoning behind the timelines laid out in the memo.

“There may be some imperative to do it because of budget constraints. It does seem to be an unexecutable deadline,” said Mihelcic. “The draft memo requires DoD components to begin initiating implementations of E5 by June 3, 2024. Basically, they say, ‘Just do it; don’t plan, don’t get the resources aligned to it, don’t get scheduled for it, just do it.’ Which to me is a recipe for failure.”

At the same time, the Coalition for Fair Software Licensing group, which advocates for fair software licensing practices, argues that the move to the E5 suite will ultimately result in a significant cost increase while limiting other vendors’ ability to compete and bring the best possible cybersecurity solutions to the table.

“It is concerning for any Department to further entrench itself into Microsoft’s ecosystem before the company has demonstrated that it has satisfied the recommendations of the CSRB report. Given the significantly increased cost of E5 licenses and tied services, we are concerned that this will limit the ability of other cybersecurity vendors to compete and address any vulnerabilities created in government systems because of overreliance on Microsoft products and security,” Ryan Triplette, the group’s executive director, told Federal News Network.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.