Testimony by the Pentagon’s top IT official on Capitol Hill Oct. 29 highlighted the department’s continued struggle to explain and assuage concerns about its new enterprise cloud.
At his confirmation hearing, Dana Deasy, the Pentagon’s CIO, was asked to explain several details about the DoD’s Joint Enterprise Defense Infrastructure (JEDI) contract, ranging from the basics of the cloud and security to alleged pressure applied by President Donald Trump. On Oct. 25, the Pentagon awarded the contract to Microsoft, which beat out Amazon Web Services for the potential 10-year, $10 billion contract.
But some attention to the cloud centered on revelations made in a new book that President Trump, who has a longstanding feud with Amazon founder and Washington Post owner Jeff Bezos, ordered then-Secretary of Defense Jim Mattis to “screw” Amazon and award the contract elsewhere. In the hearing, Sen. Angus King, I-Maine, asked Deasy if he could “categorically assure" that the president or the White House didn’t sway the final decision.
“I feel very confident that at no time were team members, that actually [made] the source selection, influenced with any external [pressures], including the White House,” Deasy said before the Senate Armed Services Committee.
Deasy’s answer was very careful, speaking specifically about the source selection team, which he said was kept anonymous and compartmentalized. He did not deny that any pressure from the White House had been applied to other top DoD officials. Deasy said that ultimately the source selection team briefed him on their decision and that he went to the secretary and deputy secretary with their decision.
In an exchange shortly after, King expressed concern about the DoD moving all its data onto a single cloud, prompting Deasy to make a clarification that the Pentagon won’t be moving all its data over to the JEDI cloud, a basic point of the program that the DoD has struggled to make clear throughout the process.
“That’s never been the purpose of JEDI,” Deasy said. “JEDI was one of a multitude of clouds.”
The DoD plans to put 80 percent of its systems on the JEDI cloud, which will contain unclassified, classified and top secret information. Sen. Mazie Hirono, D-Hawaii, asked Deasy what the vulnerabilities of putting data across all three classification levels in the same cloud through a single provider. Hirono’s concern is one that many in industry have had, as well. In response, Deasy said that when writing the RFP, the DoD went to the NSA and CIA and asked them how adversaries try to access DoD networks, as well as how to set standards to ensure that the data across classification levels remains secure.
Post-award, Deasy also said that the NSA would perform penetration testing on the JEDI cloud on all three classification levels.
“They will act like an adversary and they will attempt to try to access each of those classifications of data,” Deasy said.
Enterprise cloud migration
Deasy has said in the past that the initial JEDI cloud is an opportunity for the DoD to “learn” how to do effectively do enterprise cloud acquisition. In his pre-hearing questionnaire, Deasy didn’t give a straight answer in his written response to a question from the committee asking about the DoD timeline for adding more cloud providers, while asserting that they do indeed plan to bring more providers in.
“We plan to look at the feasibility and utility of an additional contract for unclassified services," Deasy wrote. "While we want to move quickly, we also need to ensure that the lessons learned from the JEDI acquisition and implementation can be incorporated into future efforts.”
Cloud adoption, especially the JEDI cloud, is meant to make it easier for war fighters and other components within the DoD to find data and improve the cybersecurity posture of the DoD. The committee also asked Deasy in writing what metrics the department will put in place to measure the successful use of cloud service providers’ capabilities like cybersecurity, analytics tools and access. He wrote that the DoD is reviewing and updating its guidance for cloud implementation.
Deasy also wrote that there is “no specific timetable” established for components move to the cloud. He wrote that he wants all new software development efforts to be built from the “ground up to be cloud enabled.”
The migration of legacy systems to the cloud is a significant challenge for any federal agency. Deasy wrote that he expects that to be no different at the DoD.
“For legacy systems, the transition to cloud will depend on the long term use of the application, the migration cost, and the technical difficulty of migration," Deasy wrote. "Based on my commercial experience, the movement of legacy systems to the cloud will rely heavily on a business case analysis.”
Deasy also wrote that the DoD needs to clear the path to the cloud for department components by “updating rules and guidance for efficient provisioning and use of cloud services, updating security standards for the modern environment, and streamlining outdated processes that have slowed adoption." During his tenure as CIO, Deasy has stressed the war fighter’s need for an enterprise cloud and bemoaned the effects of delays to JEDI.
Andrew Eversden covers all things defense technology for C4ISRNET. He previously reported on federal IT and cybersecurity for Federal Times and Fifth Domain, and worked as a congressional reporting fellow for the Texas Tribune. He was also a Washington intern for the Durango Herald. Andrew is a graduate of American University.