Within the next month, the Navy expects to issue a request for proposals to support a new concept it’s calling the “Cloud Store.” As the name suggests, the idea is to let Navy commands easily choose from among several commercial cloud service providers once they’ve drawn up a solid business case to move a given application out of government data centers, without having run the twin gauntlets of procurement and security approval each time.
As of this month, the store is officially up and running. During the initial rollout, there’s only one product on the shelf: Amazon Web Services (AWS). But the Navy plans to make awards for a 2.0 version of the store by the end of this year. If all goes according to plan, the Navy will have several different commercial cloud providers on contract and pre-approved to handle applications at security levels up to the most sensitive categories of unclassified data, Erle Marion, the commercial cloud computing lead within the Navy’s Data Center and Application Office (DCAO) said in an interview on Federal News Radio’s On DoD.
“We’re evaluating all of our applications with the assumption that cloud is the first option,” he said. “If it’s not, the most common reasons are going to be because of data sensitivity or because of the amount of data that’s coming and going between DoD networks and the commercial space.”
(Note: Erle Marion and Susan Shuryn, the Navy CIO’s lead for cloud computing, will participate in a free online chat on Mar. 29 at 1:30 ET. Register here).
The Navy’s decision to focus its cloud procurement within the office that’s also tasked with data center consolidation is a particularly strong signal that it’s still interested in the still-unfulfilled “cloud first” vision the U.S. government’s top technology official first outlined 5 years ago. As part of the project, the Navy has declared that it intends to move 75 percent of its data into commercial hosting environments by 2022.
The “store” construct also aims to simplify what’s been a highly decentralized process for contracting and security approval that, so far, has left individual application owners to navigate DoD’s cloud security model on their own. The current process requires each prospective vendor to earn a provisional authorization before they’re permitted to compete for a contract, and then earn an authority to operate (ATO) before they can begin work on any individual government system.
In that sense, the prospective value to the Navy of the upcoming RFP and cloud store isn’t so much about creating a new procurement vehicle, it’s more about consolidating the bureaucratic components that have held Navy components back from cloud computing and letting one office handle those aspects as a “managed service.”
“It’s about managing the agreements between all the different organizations that have to be involved and doing the work of migrating applications into the cloud environment and enabling the commercial service offering, having the right processes in place to deliberately migrate them to their new home,” Marion said. “Most of this is about the business aspects — the change management that our customers have to go through when they’re moving from a government data center. Our main job is to make sure that none of the government’s requirements are being missed, but we’re trying to be a very thin layer between our customers and industry.”
That layer includes serving as a “front door” for cloud in which Navy system owners ask DCAO for technical reviews to help them decide whether their applications are good candidates for any of the cloud services that have already been approved for DoD data and estimating the costs and savings of moving those apps to the cloud. The cloud store also serves as a “payment broker” to simplify the process of moving dollars of various colors and in different appropriated funds from a given customer to the commercial provider that’s actually delivering the computing services.
“We’ve got the big rocks in place to do all of that, and we think we’re doing it deliberately and successfully,” Marion said.
The 1.0 version of the store allows cloud purchases via an infrastructure-as-a-service contract the Navy’s Space and Naval Warfare Systems Command (SPAWAR) had already negotiated with Amazon, one of the few vendors who have successfully gained DoD security approval at impact level 4. Amazon is also seeking approval at level 5, the highest designation for unclassified data in DoD’s current cloud security model.
The store’s foundations are also built on the fact that the Navy is the first military service to have built a cloud access point that DoD has accredited at those high levels — just one notch below secret data. That CAP, which monitors all data moving between Defense networks and commercial cloud providers, is required for levels 4 and 5.
Even before the store officially opened, the Navy used its Amazon contract to transition more than 1,000 of its public-facing websites from government servers to the cloud.
Asked whether the current sole-source environment gives AWS an unfair advantage on future business for those “level 2” services, which only require certification thorough the FedRAMP process used by the rest of the federal government, Marion said Navy customers may find other options that better suit their needs once the second version of the cloud store is up and running with multiple vendors.
“You have to look at this from a couple points of view,” he said. “One is what’s the best place for those applications from a risk perspective. And in a lot of cases, our technical review is probably going to lead us to decide that putting it in, in some place other than AWS, is a better technical fit for the application’s needs. No single cloud service provider’s offerings are going to be the same as any other, and we need to be able to deliberately and technically match each mission owner’s needs with the service offering that’s best able to meet those needs.”