Editor’s note: Joey Cresta is an Analyst for the Public Sector and Cassandra Mooshian is a Senior Analyst for Cloud Computing at Technology Business Research.
HAMPTON, N.H. – The DOD’s JEDI cloud contract illustrates how IT prowess enables a strong national security posture.
Central governments, even more than the largest commercial enterprises, struggle to keep pace with the current rate of technological change. Many times, major decisions do not occur proactively, but rather are made in response to gaps in capabilities that become matters of national security. The U.S. Department of Defense’s (DOD) Joint Enterprise Defense Infrastructure (JEDI) contract indicates the DOD finds itself in that very position, spurred by a need to address technology gaps resulting from a decades-long lapse in investment that started with the end of the Cold War.
Since that time, near-peer rivals such as Russia and China have developed advanced capabilities in anti-access/area denial electronic warfare, state-sponsored cyber, and other technologies that make space and cyberspace contested warfare domains, eroding the U.S.’ traditional advantages in unassailable power projection on a global scale and increasing its vulnerability.
The sole-source nature of the JEDI contract, despite protests from most of industry that a sole-source cloud is not a prudent approach for any enterprise, highlights the DOD’s aggressive aspirations. The contract is a microcosm of broader efforts to bring new capabilities to the field quicker by skirting traditional lengthy procurement processes that often prove problematic due to the rapid pace of technological innovation. As evidenced by a recent announcement that the Pentagon has delayed the final JEDI request for proposals to conduct further studies on the best path forward, the contract also reflects continued challenges around consensus-building within bureaucratic and byzantine government structures, which remains a primary impediment to gaining the political will necessary to move with agility toward a modern IT posture.
As articulated by the DOD’s JEDI justification document for Congress, an extensible and secure global cloud environment facilitates rapid access to computing and data storage to enhance the DOD’s ability to better leverage multi-intelligence data and apply advanced artificial intelligence (AI) and machine learning solutions necessary to win on the battlefield of the future.
In this regard, the DOD’s rationale is solid, but many see a disconnect not only in the preference for a single cloud solution but also in requirements that at best limit viability to a few vendors and at worst seem tailor-made for Amazon Web Services (AWS). AWS, equipped with Impact Level 6 (IL6)
accreditation, the ability to host classified and unclassified data, experience delivering a cloud environment for the intelligence community and a commercially led revenue mix, brings a unique combination of traits to position as the presumptive favorite for the program.
JEDI’s ‘fair and open to all’ messaging directly contradicts its requirements
This contract presents a fundamental shift in the cloud market. The U.S. federal government has recognized its lackluster IT advancement and understands change must be made to stay ahead of cyberattacks and advance the technology infrastructure of the United States at its highest levels. It also represents a significant point of maturation for the cloud market, with the last of the major industries coming on board and recognizing the
benefits of cloud adoption and making a monumental shift.
JEDI’s second task order, the most controversial piece of the contract, is the cloud delivery portion where a single commercial cloud service provider will be chosen by the DOD to provide the underlying cloud infrastructure and platform (IaaS and PaaS) layers of the DOD’s enterprisewide cloud. Much of the buzz surrounding this contract, which has a $10 billion ceiling, centers on which vendor will be chosen in fact will be chosen as the cloud provider.
Controversy has arisen over the DOD’s plan to award the task order to one vendor, something Oracle (NYSE: Oracle), IBM (NYSE: IBM) and others have expressed disdain for, particularly as it is not like the U.S. government to put so many of its eggs into one basket when awarding technology and services contracts. We believe that what is slipping under the radar, however, is the program requirement that at least 20% of the total contract value goes to small business, which will necessitate that the winning bidder pulls a partner ecosystem into the mix as well.
This is how, we believe, vendors such as Oracle are still in the running despite AWS being the only commercial cloud vendor to achieve IL6 clearance. This is a prime example, just on a very large scale and open to scrutiny by the public, of the importance and commonality of hybrid, multi-vendor environments. Most organizations have taken notable strides in their efforts to establish and expand their hybrid environments, but the government has lagged until now. The DOD is not all that different from commercial enterprise and SMB organizations in that it would seemingly want one vendor to be the point of contact and environment architect and manager, but also best-fit solutions for each workload and requirement, which brings multiple vendors into the equation.
Many cloud and IT services providers have expressed concern about the DOD going all-in on one cloud. While we expect the DOD’s reasoning centers on not getting bogged down in more bid protests and extending the start date of the contract, there could also be motivations the DOD is unable to share with the public, including certain security features and disaster recovery and backup fail safes if a disaster were to occur. So, for those reasons, we may never know the full extent of the rationale behind this sole-source contract.
The other school of thought is that it is far riskier to put all of the DOD’s data on one cloud, particularly as there have been notable outages and breaches in the cloud market, one of which was a very buzzworthy AWS U.S. East outage last year, affecting much of the Eastern Seaboard. While this happened to AWS’ public cloud and not the dedicated community cloud it has had set up for the CIA for quite some time, if a vulnerability exposure or breach were to happen to the cloud the DOD ultimately chooses, the repercussions to U.S. government security could be catastrophic.
AWS is the strongest contender … for now
Amazon’s (Nasdaq: AMZN) cloud arm, AWS, is thought to be the front-runner from the cloud, vendor and press communities, with its IaaS dominance, PaaS capabilities and proven success in providing government-grade cloud solutions; Microsoft (Nasdaq: MSFT) with its Azure cloud portfolio is viewed by many as a solid second choice.
To complicate matters, there is a unique blend of business and politics at play, even though the White House has said that President Donald Trump is not interfering. However, Oracle co-CEO Safra Catz has spoken with the president about the idea of a single award contract while Amazon CEO Jeff Bezos and the president have clashed in the past.
Since 2011, when AWS first launched its GovCloud region for sensitive yet unclassified workloads, the company has continued to advance its government-oriented capabilities and certifications, to which the government has responded well. This underscores that AWS has been involved in government cloud initiatives and handling highly classified data, arguably since before IaaS and Microsoft Azure IaaS became mainstream. Notably, in 2013, AWS was chosen by the CIA and many other agencies in the intelligence community to host and run workloads that contained top secret data.
Additionally, in recent weeks, there has been mounting speculation that AWS could be expanding its CIA cloud to the Army’s National Ground Intelligence Agency through the Commercial Cloud Services (C2S) contract, which would include top-secret, secret and unclassified data.
AWS, Microsoft and General Dynamics (NYSE: GD) are the only three vendors with FedRAMP High certifications, though General Dynamics is not eligible to compete for the sole cloud provider role due to more than 50% of its revenue coming from the public sector. Though AWS is currently the only commercial cloud vendor to achieve both FedRAMP High and Defense Information Systems Agency (DISA) IL6 certifications, Microsoft is close to achieving IL6 certification, very likely before the contract is awarded.
Currently, Microsoft Azure Government Cloud in the U.S. DOD East and DOD Central are certified IL5, as is Microsoft Office 365. Azure Government Secret, announced in the fall of 2017, is set to launch soon, and with that, Microsoft will be eligible to bid for JEDI on all fronts, having IL6 certifications upon its launch.
Also in Microsoft’s favor is its Azure Stack offering, essentially allowing for the DOD’s consumption of Azure IaaS and PaaS services but behind the DOD’s firewall for remote locations at the tactical edge. Microsoft’s Azure Stack hardware partners, Dell EMC, Hewlett Packard Enterprise (NYSE: HPE), Lenovo and Cisco (Nasdaq: CSCO) would need consideration as well, and it is our belief, based on work the government and DOD have already done with the former stand-alone Dell, Microsoft Azure Stack on Dell EMC would be the option of choice. AWS may remain the front-runner, however, as it could partner with either Oracle, IBM or Microsoft to achieve similar solutions and availability.
The DOD must pursue consensus as cloud efforts forge ahead
Former U.S. President Barack Obama originally announced the federal government’s cloud-first strategy in 2010, but security, policy and people remained significant obstacles to executing the president’s vision. Eight years later, with answers to questions about security and policy in place, the DOD is getting aggressive about cloud migration.
However, the third key factor — people — remains a challenge for government, as evidenced by the nature of the JEDI procurement.
The DOD’s appetite for commercially proven technology has evolved, but its chain of command and top-down leadership structure remain in place, presenting significant cultural hurdles to adopting best practices and accepting input that diverges from preconceived opinions. This is reflected in the DOD’s steadfast emphasis on JEDI as a sole-source cloud despite the majority of technology experts from private industry calling the strategy into
question.
Due to its strong culture and difficulty in building consensus, the DOD will continue to struggle with change management, which ultimately could undermine its ability to develop a coherent and uniform cloud strategy, despite the intentions behind JEDI. Generous timelines would suggest that, given the length of the bidding process and likelihood of a protest, JEDI will only begin in earnest in 2020. In the meantime, technology will continue to evolve. It is feasible that Microsoft could develop capabilities that differentiate it and provide a competitive advantage against AWS in that time frame.
JEDI and complementary efforts indicate the DOD has achieved consensus around the importance of cloud. Clear mechanisms are already in place for the DOD to adopt cloud services, such as DISA’s milCloud 2.0 contract currently held by General Dynamics via its acquisition of CSRA. Additionally, the General Services Administration’s IT Schedule 70 includes Special Item Number 132-40 designed specifically to make it easier for agencies to acquire cloud services. Without buy-in on an integrated and balanced strategy, the DOD runs the risk of fostering more inefficiency and a bloated technology footprint, providing operational disadvantages and undermining the goals of its cloud aspirations. The JEDI contract includes limited opportunity for services providers given migration and transition services are outside the contract’s scope, but services providers will not sit idly by and wait for JEDI migration opportunities to arise. The best bet for the DOD would be to embrace these disparate acquisition
options to complement and bridge the gap with the JEDI effort.
(C) TBR
