The Defense Department is leaving almost every technology vendor on edge for another few days. It posted a message on the FedBizOpps.gov website saying it would post version 2 of the Joint Enterprise Defense Infrastructure (JEDI) cloud contract sometime this week.
Part of the reason for the delay is DoD received 1,089 comments from 46 vendors, two associations, and three government agencies in response to the first draft solicitation.
Insight by GitLab: During this webinar executives from the State Department, U.S. Securities and Exchange Commission, U.S. Patent and Trademark Office and GitLab will discuss how institutionalizing a DevSecOps approach to software development is a journey that must bring together the technology and business sides to change an organization’s culture.
While DoD said it wouldn’t be sharing any details of the comments or commenters, it didn’t stop a full court press from Capitol Hill and vendors to influence and change on the Pentagon’s plans for a single source award for cloud services that many estimate could be worth as much as $10 billion over 10 years.
Contractors and former Defense officials have been ringing the alarm bells over what many see is an internal preference for the military to move to Amazon Web Services.
These concerns made Thursday and Friday of last week even more interesting when there was a series of non-response responses from Defense leaders, former Defense officials, lawmakers and even Amazon’s head of its global public sector.
During a House Armed Services Committee hearing, Rep. Jacky Rosen (D-Nev.) asked Defense Secretary James Mattis about DoD’s plans for the cloud contract.
Rosen: What are the cloud’s implications if we do public and private partnerships, as we — if we move to the cloud, who’s going to own some of that proprietary information? What if some of those private businesses go out of business?
Mattis: The movement to the cloud, congresswoman, is to enhance the availability of the information among us right now. We have to also quickly advance our security. We have over 400 different basic data centers that we have to protect, and we have watched very closely what CIA got in terms of security and service from their movement to the cloud.
It is a fair and open competition for anyone who wants to come in. It’s only two years. If you’ve read something about 10 years in the press, that’s not the case at all.
So it will be a full and open competition. Not sole sourced, by the way, to make certain we don’t fall into just one and I’m very confident that we can get it to your horizon on anyone bidding ought to know with certainty, they will not be folding.”
So Mattis reaffirmed to lawmakers that the JEDI procurement will be fair and it’s only for two years. Now that may be a two-year base with several option years, but no matter, Mattis, I’m sure, is hearing the concerns from Congress and industry alike.
The Hudson Institute hosted a panel discussion with two former Defense officials — John Stenbit, who served as the assistant secretary of Defense for command, control, communications and intelligence during the George W. Bush administration, and Stephen Bryen, who served as the director of the Defense Technology Security Administration from 1981 to 1988.
Both Stenbit and Bryen as well as William Schneider, a senior fellow at Hudson and a former staff member in the House and Senate and State Department executive, expressed deep concerns about DoD’s acquisition strategy.
“The DoD has laid down its own standards or guidelines, if you want to call them that, on what it expects the security of the system it will procure should look like,” Bryen said. “Basically, what they’ve done, for the most part, is two things: one, of course, is to make sure the employees who are working in the cloud environment that they proposed are cleared American employees. That, by the way, creates a significant problem in being able to find enough cleared American employees to do the job. I’m not sure they are so readily available so that is definitely a challenge that is out there. The second is to take some of the procedures that are used to procure DoD’s existing computers, servers and equipment and apply that to the cloud. I’m wondering if DoD has such confidence in these standards. There is not a new standard for the cloud. They are just taking what they have in the Security Technical Implementation Guidelines (STIG). Basically, there are about 400 of these and they are massive checklists that you go through and make sure you are in compliance.”
Bryen said it’s unclear how the STIGs would apply the cloud and that’s a serious problem because fixing the cyber vulnerabilities can require taking a system offline.
Additionally, Bryen questioned DoD’s approach because it’s not clear what or who the backup is if Amazon’s services go down.
“My guess is the backup is actually the existing system, and what they really are trying to do is keep two systems going — a cloud system over here, and the old system here. We already know the old system has a set of problems. We don’t know all the set of problems with new cloud system,” he said. “If you can do denial of service attacks on a cloud, which is one risk, and shut it down, you could shut down DoD if it was only on one [provider.]”
Bryen said keeping the old system online as the backup also would require having skilled and cleared employees run those systems, which adds to the first challenge.
“I think this whole thing is really in need of a lot more study, a lot more investigation and particularly on the security side, which I think what we have is a simplistic approach to security right now that says we can put the old standards to the new system, it will work and everything will be fine. I think that is wishful thinking,” he said. “It seems to me that a much more ambitious effort should be made. I think cloud computing makes sense, but I think it has to be secure computing.”
Stenbit added that he would suggest to DoD that the Defense Science Board, which includes 45 private sector and academic experts that give the Pentagon advice and recommendations.
DoD also created a Defense Innovation Board, which includes private sector experts such as Dr. Neal DeGrassse Tyson, Eric Schmidt of Google and Marne Levine of Instgram.
What’s even more interesting about the Hudson Institute event is it was sponsored by Oracle. Industry sources say Oracle is aggressively lobbying against DoD’s single source strategy. The software giant may also be driving a wedge across industry as all the large cloud and technology players are paying close attention to JEDI.
Bloomberg reported on April 13 that Oracle “is holding regular calls with tech allies, courting trade and mainstream media and lobbying lawmakers, defense officials and the White House.”
Of course, this wouldn’t be the first time Oracle played the role of aggressor. When the Trump administration released its draft IT modernization strategy in September, Oracle submitted comments that trashed Obama administration efforts to move off of legacy IT.
Less than 24 hours later, Teresa Carlson, vice president of worldwide public sector for Amazon Web Services, stood before a packed room in McLean, Virginia, during a Northern Virginia Technology Council (NVTC) breakfast and said nothing about JEDI or the ongoing e-commerce portal effort at the General Services Administration.
But if you read between the lines, Carlson’s points certainly were there to send a message.
“We have a leadership principle called customer obsession. It’s the one thing we think about all the time. It’s the way that listening to our customer has allowed us to move fast in this [public sector] community. We listen and then innovate on behalf of the customer. We don’t go in with preconceived ideas and we are pretty flexible on the way we are actually dealing with them,” Carlson said. “The one thing I’ve told my team from day one is that we are not going to settle to do things lesser than we should be because we are disruptive and we are changing the way our customers are thinking and taking advantage of technology.”
Carlson, then, went right after the government’s current approach to technology, acquisition and innovation, and maybe even all of those contractors who are pushing back against DoD’s approach.
“When you are creating new technologies — and a lot of people in this room are doing these kinds of things — you can’t settle for old and outdated policy or acquisition legislation. You can’t settle for security controls and modules that don’t meet the needs of our nation anymore,” she said. “It’s important we take a stand and we are proactive in how we are doing that. So we listen, we’ve innovated and we’ve brought those tools available to our customers.”
Later on in the speech, Carlson took another shot at the status quo companies.
She said AWS has dropped its prices more than 65 times since 2006, and increased the number of capabilities provided through the cloud.
“In 2012, we released 160 significant services and features. Fast forward to today, in 2017, we’ve launched over 1,400 new services. Why is that important? That’s important because it shows you with cloud computing how fast you can move, and how our partners and customers can take advantage of that. You don’t have to sacrifice innovation for speed or security. You can have all of those,” Carlson said.
It’s easy to see how all of these facts and figures are direct messages to lawmakers and DoD officials about why Amazon is the right choice.
So what does all this mean for JEDI?
Several industry experts have told me they believe JEDI will never get off the ground in its current incarnation. If DoD goes down the path of a single award, the congressional inquiries and the bid protests will keep this initiative tied up in knots for the next 12-18 months.
The second draft of the RFP that is expected this week will be telling to see if the pressure by vendors and lawmakers is getting through, or if the Amazon supporters remain in control.