The Department of Defense’s cloud strategy, released to the public Feb. 4, gave the first comprehensive look at how the Pentagon plans to structure its commercial cloud acquisitions and its expectations for cloud service providers.

According to industry experts, while the strategy indicates expanded opportunities for providers beyond the heavy requirements of the already-infamous Joint Enterprise Defense Infrastructure contract, the very nature of the DoD means that there will be limitations on who can compete for its cloud business.

The strategy places the single-source, $10 billion JEDI contract at the center of future efforts as the Pentagon’s general purpose cloud, which will be surrounded by smaller fit for purpose clouds that fulfill more specific needs at the various services and departments.

The JEDI contract seems designed for an Amazon win, industry critics have said, with only a couple of companies capable of offering any real competition that meets with DoD requirements.

“The scale of the enterprise cloud makes it likely that only very large cloud service providers can offer the scale of resources needed to facilitate a rapid transition to a cloud-based architecture,” Bill Schneider, president of International Planning Services, Inc. and senior fellow at the Hudson Institute, told Federal Times.

"The strategy document does a much better job than has previously been done with describing how the DoD cloud-based architecture will be a hybrid environment with multitude of fit-for-purpose clouds (based on mission-related waivers to justify a “fit-for-purpose” cloud rather than simple participation on the larger general-purpose cloud.

According to an industry expert that wished to remain anonymous, the diagram included in the new strategy answers many questions industry has about the place of JEDI, the milCloud 2.0 program and other potential cloud contracts, but still leaves some questions remaining.

Source: Department of Defense cloud strategy
Source: Department of Defense cloud strategy

“I think the policy says on its face, ‘We want to be innovative, essentially, we want to use commercial solutions, explicitly, we want to make sure that we are taking advantage of the efficiencies and savings that come with moving to the cloud.’ All of which are going to tell some people in industry there are tremendous opportunities for cloud-based projects at DoD,” Larry Allen, president of Allen Federal Business Partners, told Federal Times.

“And on a certain level there are. However, what the policy doesn’t say is what the individual organizations within DoD frequently say to companies with cloud solutions. And that is, ‘Look, you’ve got to have top-level security, even if we are non-core.’”

Though the strategy itself did not provide details on the level or kind of security authorization providers will need to posses to be considered for DoD contracts, experts say that it should be a major consideration for any provider looking to do business with the agency.

“It is likely that players in the DoD cloud services market will need to be able to offer cloud services in a secure environment,” said Schneider.

“It seems likely that consideration will need to be given to both cyber and physical security as well. As the commander of NORTHCOM recently put it, the ‘homeland is no longer a sanctuary.’”

The JEDI cloud contract already requires any potential awardee to be able to support Secret and Top Secret data, an authorization that only a handful of providers have achieved so far.

“Today there are only, what, three or so companies that have that? And a lot of companies will say that they can build it if the opportunity came along,” said Allen.

“I think that if you’re a vendor that is offering those types of solutions where you’re not really talking about a lot of storage, you’re talking about apps or about unified communications, you may potentially have an easier time of it. But you’re going to have to make very sure that you’re properly educating your DoD customer.”

Meanwhile, Allen added, smaller cloud providers will likely have to work against the DoD’s competition expectations, which were formed by contracts for things like fighter jets and weaponry, where there are only a couple of companies really capable of competing.

“That’s the type of competition that I think DoD envisions here,” said Allen.

“If you don’t have good brand name recognition inside DoD, you may have a really good cloud-based mouse trap, but you’re going to have a tough time getting established with it, because a lot of DoD buyers prefer getting things from companies with established brand names.”

Still, for cloud service providers that aren’t looking to be on the “main stage” of the DoD’s move to cloud, the fit-for-purpose category may still offer some solid pieces of business.