It’s now been nine months since the deputy secretary of Defense ordered department components to prioritize moving their IT systems to commercial cloud services, including via a new contracting vehicle known as JEDI.
But the Air Force isn’t waiting for JEDI to get up and running before it starts to comply with the spirit of Patrick Shanahan’s mandate. At Hanscom Air Force Base in Massachusetts, the service designated a new “front door” to help the service’s components move their systems not just to off-premises cloud environments, but also to the latest iteration of the Defense Information Systems Agency’s milCloud.
In its role as cloud broker for the Air Force, the service’s Managed Services Office — part of the Air Force Lifecycle Management Center — is finding that milCloud 2.0 is the right fit for more applications than it initially expected, said Mark Bacon, the acquisition program manager leading the effort.
“Frankly, at first we were wondering why the DoD would try to match what the private sector has already invested in cloud technology and data centers around the world,” he said. “But then we started to see, as we talked to the contractors that are setting up milCloud, and also Onsite Managed Services, that they might prove to be a good environment.”
Making the transition
The cloud transition office is also using existing contract vehicles to help migrate some Air Force applications to off-site commercial cloud services, including Amazon Web Services and Microsoft’s Azure.
But as the transition office worked through the process of advising Air Force commands on the best cloud environments for their existing systems, it determined that milCloud is a better solution for some applications. The application is physically hosted inside DISA’s data centers, but owned and operated by General Dynamics Information Technology.
“Take our enterprise resource planning programs, which are huge software suites that do a lot of different business processes,” Bacon said. “Since we have the DoD offering this commercial cloud pricing model now, which should save us some money, there are some large software suites that might be good to host in milCloud indefinitely, and maybe never put them in a commercial cloud.”
That’s especially true with applications that were never designed to operate in “cloud native” environments, or that rely heavily on constant data connections to other DoD systems that continue to operate within the perimeter of military networks.
In some cases, the need to continuously move information between an off-site commercial cloud environment and systems inside the DoD network boundary can make them even more costly to operate than if they were left in legacy data centers.
“For some of our really old apps and services that need to rely on legacy support services, milCloud might serve as a way station,” Bacon said. “We can put them there until the app owners figure out how to translate them into something that will work in a in a real, in a genuine commercial cloud.”
Since it is operated by a commercial provider, DISA decided to subject milCloud 2.0 to the same security approval process that’s required of off-site cloud providers that do business with DoD: a set of procedures sometimes referred to as “FedRAMP Plus,” which are detailed in DISA’s Cloud Security Requirements Guide.
As of now, GDIT has earned DISA approval to operate up to “impact level 5,” the department’s highest classification below the level of Secret. It expects milCloud 2.0 to gain an impact level 6 authorization for secret data by next year.
Caroline Bean, DISA’s program manager for milCloud, said the fact that milCloud also operates inside DoD’s existing network boundary should offer some comfort for IT program managers throughout the department who are considering a cloud hosting solution for the first time.
“We’ve made our pricing very competitive with other off-prem commercial service providers, but we also provide the added security advantage of the data being behind the DoD perimeter,” she said. “So I believe it comes down to the comfort level of each application’s authorizing official. Not all authorizing officials will be comfortable with jumping right away into an off-prem solution for its impact level 4 and 5 data. So our on-prem solution essentially it allows them a way to test the commercial cloud waters first.”