The Navy and Marine Corps are in the midst of a significant shift in how the two services buy and use commercial cloud computing services, the upshot of which is a good deal more centralization, governance and oversight over their cloud consumption.
Under a new cloud policy the Navy’s chief information officer and top acquisition official jointly signed last month, individual commands will, for the most part, lose their authority to buy cloud services on their own. Starting in March, any new cloud spending will have to be funneled through the Naval Digital Marketplace, an electronic provisioning service operated by the Program Executive Office for Digital and Enterprise Services (PEO Digital).
It’s a major change to the Navy Department’s cloud philosophy. Just two years ago, officials decided the best way to accelerate commercial cloud adoption was to embrace a decentralized approach that let eight separate offices — the CIOs of various systems commands throughout the Navy — serve as independent “cloud brokers.”
But things have changed a lot since then, said Travis Methvin, the project manager for the Naval Commercial Cloud Services office.
“When we started this two years ago, a big driver was that the commercial cloud companies weren’t quite familiar with the DoD arena and how to participate, and that has evolved,” he said in an interview for Federal News Network’s On DoD. “And as we saw the cloud brokers try to stand up their own business operations and start to build and deploy services, the budget wasn’t there, and the time wasn’t there for them to focus on the monetization of their portfolios. So this is really part of an overall DON strategy to creating centralization opportunities.”
Methvin said the new cloud strategy is just the first piece of a broader centralization of enterprise IT services that’s expected to be approved by senior Navy officials in the coming months.
But when it comes specifically to commercial cloud services, the new policy tasks PEO Digital with maintaining all of the Navy Department’s new cloud contracts, “decoupling” them from other programs. Program managers working on new IT projects will no longer be able to bundle cloud spending together with larger system integration or development contracts.
One major reason for that: the Navy wants much more visibility than it has now over what it’s spending on commercial cloud and how those services are being used.
“One of the great lessons that we’ve learned was that when cloud was wrapped up within [other contracts], it created risk to the Department of Navy in understanding where our data was and how security was being implemented,” Methvin said. “It also reduces the amount of time and effort it takes an organization to let their own contract if we can focus on enterprise availability of those things. We’re also looking at how we support our partnership with the cloud offices within DoD and their and their desire to get to an enterprise environment.”
The December policy specifically directs PEO Digital to set up new mechanisms to monitor the entire Navy Department’s consumption of commercial cloud services. That platform is still a work in progress, Methvin said, but it will focus initially on the DON’s deployments of Microsoft Azure services.
PEO Digital is especially interested in cloud services that can be deployed via an “infrastructure-as-code” framework that has all of the Navy’s security and technical requirements baked-in and ready to buy from the marketplace. Notionally, Navy mission owners would log in to the storefront at cloud.navy.mil, select the services they need, and have them quickly provisioned – mostly via automated scripts.
“Over the next four-to-six months, you’re going to start to see the ability to use API-driven self-service deployments for things like infrastructure-as-code for our agreements with Azure, you’ll start to see software-as-a-service with our partnership with ServiceNow, and we’ll be looking at other opportunities for industry partnerships that allow mission owners to start to work a little bit more efficiently,” he said.” What used to take nine to 12 months for individual applications, we’re really trying to reduce the barrier and get it into a week’s time.”
The new DON policy also places a premium on reciprocity — letting the Navy leverage security approvals cloud vendors have already gained from other DoD organizations — so the marketplace will be stocked with offerings that are already on contract via the Army, Air Force, DISA and other Defense components.
In the early going, the DON has already seen some benefits from leveraging security approvals that one program has gained and reusing them elsewhere. One example is the Research, Development & Acquisition Information System (RDAIS), which, as the name implies, tracks acquisition program data across the Navy and Marine Corps.
For the latest round of improvements to RDAIS, the department leveraged a software development pipeline called the Marine Corps Business Operations Support Services (MCBOSS), which in turn grew out of the DevSecOps concepts the Air Force proved in its Kessel Run project.
“It lets us get through the development process much faster,” said Ruth Youngs-Lew, the program executive officer who leads PEO-Digital. “They did a complete analysis, walked through what the different options were, and then chose that path – and it’s the first instance where we’re actually taking a Navy program and putting it through the Marine Corps pipeline.”