Two months after the Defense Department told vendors it needed to rethink its approach to buying cloud computing services from commercial providers, DoD says it’s still assessing the proper place for commercial cloud in the military and the right acquisition strategy to procure those services.
In early November, the Defense Information Systems Agency, which DoD has tasked as its single broker for cloud services, announced it was pulling back from an acquisition strategy for cloud services for unclassified data that could have been worth up to $450 million. In a short statement to vendors, DISA said it had overestimated the demand within DoD for commercial cloud products.
But Tony Montemarano, the agency’s director of strategic planning, said DISA certainly is not giving up on commercial offerings.
“The cancellation of the contract initiative was a realization that our requirement wasn’t quite clear. We didn’t have the requirement we thought we did as far as volume,” he told an AFCEA luncheon in Arlington, Va., Tuesday. “But our commercial cloud strategy is not changing. We’re adjusting to make sure we’re going after the contract vehicles we need to go after.”
DISA officials say both they and the wider Defense Department think there are a lot of areas in which commercial cloud would be a better, more cost effective substitute for some of the computing services that the military services and Defense agencies currently run on their own. But they say several big questions and potential hang-ups need to be resolved.
A similar approach to the CIA?
Dave Mihelcic, DISA’s chief technology officer, said the agency believes it can’t take a one-size-fits-all approach to the cloud acquisition. It will need to tailor contracts to suit all six levels of security requirements the agency outlined in its recent cloud security model, which covers everything from publicly-releasable information to classified data.
“Across that span, we’re going to see different solutions appropriate for different levels of data,” he said. “And the acquisition strategies may be different based on the kind of service we’re trying to acquire, whether it’s software as a service, platform as a service. Whether we use pure commercial public cloud or a DoD cloud is going to vary.”
DISA officials say they’re also seriously considering following the approach the CIA took when it hired a cloud provider — in that case, Amazon — to build a cloud environment based on its technology, but walled off from the public Internet and secured within the agency’s own IT environment.
But Montemarano said there’s currently a crimp in the supply line of companies who meet DISA’s security needs.
DoD has committed to using products that have been certified under the Federal Risk and Authorization Management Program (FedRAMP), the governmentwide construct designed to give security certifications to cloud systems once so they can be used throughout government.
“But the question I’ve got is, how many solutions out there are FedRAMP compliant? The answer is, not very many,” he said. “We ourselves are going to take our own DoD-developed cloud and put it through FedRAMP. We’re going to stand up and embrace it, but we need some cooperation from industry to comply with the regulations of the federal government.
Currently, the Joint Authorization Board, which includes DoD, the Homeland Security Department and the General Services Administration, has approved eight infrastructure-as-a-service providers, one software-as-a-service provider and platform-as-a-service provider under FedRAMP. The board also granted a FedRAMP authorization the Agriculture Department’s private cloud for infrastructure-as-a- service.
Montemarano also said DoD is concerned about the impact on day-to-day network operations of taking data and computing capacity that’s currently housed within the military and placing it in outside servers that the department’s cyber workforce might not have complete visibility into.
“The fact of the matter is there is a demand signal from U.S. Cyber Command. They want to understand exactly what’s happening, when there’s an anomaly, exactly what the fix is,” he said. “That three or four star general in the field is not interested in hearing, ‘We’re working on it, I’ll let you know when we’re done.’ We have a command and control requirement that’s there, and it’s hard because that’s not the way commercial products are set up normally. But that demand signal has not gone away.”
And once DoD gets to the point where it’s making large-scale use of commercial cloud capabilities, officials say they’ll need to have a framework of criteria in place for deciding which systems belong in the commercial space and prioritizing which ones to migrate first.
Martin Gross, a DISA program executive officer, said that’s currently the topic of intense debate within DoD.
“There’s a divergent set of opinions between the people who are the resource sponsors and those who are making the security decisions. Different people are willing to take different risks based on price points and operational needs,” he said. “But within the agency, we are looking at certain applications that really should have been in the commercial cloud already, and as we look at tech refreshing our capabilities you’ll see those move to commercial cloud hosting. The things that share information with an unclassified community and have equities outside the department and don’t need to be hosted within a DoD facility are the kind of things you’re going to see moving. The rest is still open for debate and discussion.”
Mihelcic said DoD also needs to address many of the cumbersome internal policy barriers that currently keep the department from taking advantage of the inherent scalability and rapid deployability of commercial cloud technology. That’s a lesson he said DISA itself already has learned in painful ways.
“We have an offering called the Rapid Access Computing Environment (RACE) that goes back three years now. It could offer virtual machines on-demand to end users within a fraction of a minute. So what did we do? We put in place an approval process on top of that, and when my organization tried to actually use it, the process took on the order of nine months,” he said. “We took provisioning from seconds to almost a year. So what we’re trying to do is address these process issues so we can truly benefit from automation. If we have a great commercial solution but our off-ramp to it is still a dirt road, it doesn’t help us.”