The Defense Department is shopping for a vendor that can provide thousands of virtual machines to help replace its current, government-operated MilCloud service. The new cloud offering would be run by contractors but housed in DoD data centers.
The Defense Information Systems Agency released a request for information earlier this month, an early step in framing the acquisition strategy for what it’s been calling MilCloud 2.0 and what it now refers to as On-Site Managed Services (OMS). Very few decisions have been made about how the infrastructure-as-a-service project will be structured, other than that DISA wants to offer its DoD customers the ability to pay for only the storage and processing power they actually use.
“We’re looking to give our Defense customers the ability to order and pay ‘by the drink’ and not get charged for things they don’t consume,” Scott Stewart, the chief of DISA’s IT contracting division, told vendors Monday at an industry day previewing the upcoming procurement in Laurel, Maryland. “Today, we just over-provision and pay for things we don’t need. Some customers want more than we’re providing, some want less, so what we’re looking for is a true utility-based solution.”
DISA hasn’t yet announced a timeline for when it might release a request for proposals, but once it makes a contract award it plans for a contractor to build and operate a private cloud within two DISA-owned data centers: one as a primary site and the other as a backup for continuity of operations. The government would provide power, cooling and network connections, but most of the rest would be up to the vendor.
Insight by Carahsoft: This exclusive e-book demonstrates just how far agencies have come and where they still need to go to take fully advantage of DevSecOps to drive modern capabilities to their customers.
“We already provide a lot of these services through capacity services contracts in our Defense enterprise computing centers and those are commercial solutions as well, but there’s a lot of government intervention and configuration, including security and patch management,” Stewart said. “What’s envisioned in this model is that line of demarcation between the government and the contractor would be much further up the stack.”
Once the service reaches initial operating capability, DISA plans to test it with four still-to-be-determined applications that are currently hosted in the government-operated MilCloud. At full operating capability, the agency wants OMS to provide 5,000 virtual machines at any given time, but also be able to scale up to “support a much larger portfolio in later years.”
DISA thinks a private, military-only cloud will continue to have a significant role in DoD despite the growing number of companies who’ve won approval to host Defense data though the FedRAMP process and earned DoD-specific provisional authorizations. Greater security is one factor, since the IT infrastructure would be housed on government premises, connected directly to the department’s NIPRNet and overseen by the continuous monitoring systems that watch government-operated systems.
The winning vendor would need to be able to handle data at what DoD defines as impact level 5, which the most sensitive category of unclassified information and encompasses many national security systems.
“Certification and accreditation efforts are likely to be a critical part of the timeline heading towards an operational capability,” said Alicia Belmas, the OMS project lead. “The assessment of the infrastructure services to operate on the DoD information network will be done in accordance with the Risk Management Framework, and an appendix of the applicable security controls will be provided as an appendix in the performance of work statement. The services are going to reside within the DoD network perimeter, and they’ll require compliance with DoD network operations and continuous monitoring tool suites.”
DISA is also hoping the updated MilCloud offering will, in some cases, be cheaper for Defense components to use than purely commercial offerings, in part because of the metered billing system it’s looking to set up.
But as of now, Stewart said the agency is not certain how to accomplish that and is asking vendors for advice on how to manage the billing process.
“We really need industry help on this. We expect that there would by many users, and we don’t know whether it’s best to have them bring their funds into DISA’s working capital fund and then bill against that,” he said. “We want to move to utility-based pricing and a billing arrangement similar to what we have on our telecommunications side where we don’t have to process thousands of invoices. This billing piece is really key, and we need industry’s thoughts on that.”
The agency is also seeking industry input on how to structure service level agreements between the government and whatever vendor wins the eventual OMS contract. It’s also still exploring what type of contract vehicle would be most appropriate: an existing governmentwide acquisition contract or a standalone indefinite delivery indefinite quantity contract.
Besides building and managing the private cloud, Stewart said the final award is likely to include a mechanism for DoD components to order support services to help them migrate their applications into the OMS structure.
“Some of our customers have organic capability and they can transition their own applications, others don’t and they’ll need contract support,” he said. “There are a lot of legacy applications out there that don’t lend themselves well to virtual environments and they’ll need some engineering support. We’re looking to have this contract support those functions.”