A recent Department of Defense memorandum indicates that the agency wants to pursue multiple commercial cloud vendors as it attempts to modernize its IT and data infrastructure, though a single provider will still have singular influence over the agency’s “general purpose cloud.”
“DoD is driving toward an enterprise cloud environment that is composed of a general purpose cloud and multiple fit-for-purpose clouds,” the memorandum to Congress, released Feb. 4, said.
“In addition, it should be recognized that the Department will still need non-cloud data center capability for applications that are not suited for the cloud. Over time, with the adoption of an enduring enterprise cloud strategy, the non-cloud environment should become smaller.”
That general purpose slot will be filled by the awardee of the $10 billion Joint Enterprise Defense Infrastructure contract, which has been criticized for its single-award intent as giving the winner an outsized control of the defense cloud market.
Many companies vying to support the Pentagon’s cloud requirements claimed that the odds were stacked in Amazon’s favor. The approach spurred protests and a lawsuit in fact.
According to the memorandum, the fit-for-purpose environment will be made up of the Defense Information Systems Agency’s milCloud suite, as well as other unnamed vendors.
Throughout the cloud migration process, DoD will stick to four guiding principles:
- War-fighter First — any cloud solution must at all times address the needs of improving lethality while not jeopardizing the safety and mission of American war fighters.
- Cloud-Smart, Data-Smart — cloud solutions must streamline transformation and embrace modern capabilities while enhancing data transparency and visibility.
- Leverage Commercial Industry Best Practices — the cloud strategy should promote competition and innovation while preventing lock-in of one particular solution or technology.
- Create a Culture Better Suited for Modern Technology Evolution — the strategy will need to create a culture of learning and innovation while discouraging custom, federated approaches.
This approach to commercial cloud is not entirely unexpected, as DoD Chief Information Officer Dana Deasey said during an October 2018 press event for the Defense Enterprise Office Solution cloud contract that the agency would be delineating between general purpose and fit for purpose contracts.
"This marks a milestone in our efforts to adopt the cloud and also in our larger efforts to modernize information technology across the DOD enterprise," Deasy said in a statement on the memo to Congress.
“A modern digital infrastructure is critical to support the war fighter, defend against cyberattacks and enable the department to leverage emerging technologies like machine learning and artificial intelligence.”
The new strategy also means that DoD will move away from a cybersecurity posture that focuses on perimeter defense and instead prioritize the protection of data and systems.
“DoD will produce a unified cybersecurity architecture that addresses cloud and the needs of classified and unclassified missions and data. The capabilities will be tested and assessed independently and frequently to ensure that cybersecurity attributes remain effective against developing threats,” the memo said, adding that the CIO will determine the command and control requirements between the agency and the cloud service providers.
Cloud contracts will also likely include requirements for training and workforce development to ensure that DoD can develop the expertise necessary to use and protect their new cloud environments.
And any potential migrations to cloud will have to come with thorough evaluations of legacy DoD applications.
“It is imperative that DoD has a cloud strategy to ensure that legacy applications are not moved to cloud without properly re-architecting them to make use of the data, security, resiliency and application advantages that cloud provides,” the memo said.
“Additionally, DoD should independently test and assess cloud network security to verify security compliance and incident response and review all contractor and third-party testing results to ensure that performance and security monitoring are sufficient.”
Jessie Bur covers federal IT and management.