The Defense Department kicked off the planning process this week for an expected IT procurement that will affect more than one and a half million users, following up on an earlier commitment to migrate its massive Enterprise Email service to a privately-operated, commercially-based cloud environment.
On Wednesday afternoon, the Defense Information Systems Agency released a request for information regarding an eventual Defense Enterprise Email 2.0. DISA is a long way from developing a formal acquisition strategy, but the project would be a massive undertaking for any winning vendor or vendors. The current government-operated email service — which DISA rolled out in 2011 with the Army as its largest customer — serves 1.6 million users around the world. And DoD wants a private sector vendor to be able to support up to 4.5 million users if the other military services and defense agencies come on board.
“The approach we’re taking in this follow-on is that we really don’t want to develop it, we want to buy it as a service offering from somebody,” David Bennett, the director of DISA’s implementation and sustainment center said at AFCEA Northern Virginia’s recent warfighter IT day. “Even to the point where we open up for discussion where we actually host the capability. It could be in a commercial cloud, it could be in a DISA facility. But our intent is to get out of being the service provider and developer and acquire it from industry. The where and the how really are the essence of what we’re looking for industry to tell us. We’re looking to do this in the most effective way at the lowest cost.”
And the Pentagon is already setting aggressive cost-reduction targets. This week’s RFI told vendors that DoD wants them to provide a global email service for half the price DISA currently charges its Defense customers for the government-operated service: about $40 per year for each user.
The commercial system DoD envisions would only handle unclassified email — but it would need to be able to handle various flavors of controlled unclassified information (CUI). So the vendor would need to be able to pass DISA’s security tests and gain its approval to handle data up to what the agency defined as Impact Level 5 in the cloud security requirements guide it issued earlier this year.
But beyond laying out its basic security requirements and cost objectives, DISA is doing relatively little at this stage to specify exactly what sort of system it would like to buy. Bennett said the Pentagon wants as few bells and whistles as possible: basic email and calendaring will do just fine.
“One of the things we’re trying to do is make sure we don’t get into requirements creep, where suddenly we’re not only trying to provide email, but a kitchen sink, an outdoor bathroom and everything else somebody can think of,” he said. “As you start to deliver an enterprise solution, that always becomes the issue. Everybody wants their unique capability brought into it and they want to throw in buzzwords like ‘unified capabilities,’ and everybody has their own definition of what that means. So we’re spending a lot of time, but not an inordinate amount of time, getting down to brass tacks of what we want as a very simplistic, base-level email capability that we can rapidly get on contract and out there in the field.”
The RFI does signal some other basic requirements, among them: an eventual vendor will need to provide a full-time help desk, assist with the transition from the current version of enterprise email, and provide records management services including marking data according to its classification level.
DoD also would prefer that the new system be available via virtual desktops and mobile devices.
The current version of enterprise email already allows mobile access to unclassified email for an additional per-user charge, and about 700 users are able to get their classified email on commercial mobile devices.
Jack Wilmer, DISA’s infrastructure development executive, says DoD would like to continue to expand that capability — even though it does raise some cybersecurity concerns.
“Adding mobile to the environment absolutely complicates the equation. It introduces a whole lot more avenues into our network,” he said. “All of the endpoints now are beginning to proliferate. Not that many years ago I had basically one device connected to the network, now I have three or four, and that’s just me. But I think that what you’ll see is the number of devices per person continuing to increase.”
Beyond email, DoD wants to avail itself of a wide variety of commercial cloud technologies. DoD chief information officer Terry Halvorsen told reporters this week that hybrid clouds — involving some technology on the government side serving as a bridging function to the commodity IT available via cloud service providers — looks promising. Some early candidates for a commercial cloud migration could be logistics and supply data.
“One area we’re working on right now is what we’re referring to as common services,” said Rob Vietmeyer, who leads cloud computing planning in the DoD CIO’s office. “What we’ve found as we’ve made these initial steps into commercial cloud environments, a lot of the foundational capabilities we’re used to aren’t there. So we’re looking at how we extend a lot of those platform type of services that exist in the department into those cloud environments. We have efforts with DISA and across the military departments trying to build those to work with these commercial services in a hybrid fashion.”