Persistent Defense of Department (DoD) delays in getting large enterprise-wide cloud projects up and running are getting in the way of long-term Pentagon objectives on cybersecurity and artificial intelligence (AI), and forcing some DoD operations to seek cloud work-arounds in the meantime.
When the DoD released its cloud strategy in February 2019, Patrick Shanahan – then acting Secretary of Defense – declared, “The DoD Cloud Strategy reasserts our commitment to cloud and the need to view cloud initiatives from an enterprise perspective for more effective adoption.”
Now, two years later, progress across the three DoD cloud pillar programs – milCloud 2.0, the Defense Enterprise Office Solution (DEOS) program, and the Joint Enterprise Defense Infrastructure (JEDI) program – has been much slower than hoped. These delays are preventing that enterprise-wide vision from becoming a reality and hampering AI and cybersecurity progress that depend on the big cloud projects coming online, plus rapid migration.
One Cloud Up, but Slow Progress
The DoD cloud strategy proposed an enterprise cloud environment including “general purpose” and “fit-for-purpose” cloud infrastructures achieved through multiple vendors. The strategy identified seven strategic objectives, including proactively addressing cyber challenges, enabling AI and data transparency, and extending tactical support to the warfighter at the edge.
The JEDI program, according to the cloud strategy document, was the “foundational approach to deliver the benefits of a general purpose enterprise cloud for DoD,” while milCloud 2.0 and DEOS would serve the department’s fit-for-purpose needs. milCloud 2.0 provides an integrated suite of cloud-based infrastructure services, while DEOS will provide secure productivity and collaboration capabilities in both unclassified and classified settings inside and outside the continental United States.
The Defense Information Systems Agency (DISA) awarded CSRA (now part of General Dynamics Information Technology) with the $500 million milCloud 2.0 contract in June 2017. milCloud 2.0 connects commercial cloud service offerings to DoD networks in a private deployment model.
The program got off to a good start, launching three months ahead of schedule in February 2018. In May 2018, the DoD mandated that its Fourth Estate agencies move more than 100 data centers to milCloud 2.0 by the end of FY20. This mandate included 32,000 separate servers, many of which did not meet the latest security requirements.
Despite this mandate, research released by MeriTalk early last year found that just one in five mission partners were moving to milCloud 2.0, and sources tell us that migration progress has continued to be slow.
But, with the recent addition of Amazon Web Services (AWS) to the milCloud 2.0 contract, milCloud 2.0 is poised to provide both fit-for-purpose and general purpose clouds to meet a wide variety of DoD requirements.
DEOS Ready to Move After Five-Year Saga; JEDI Stuck
The second DoD cloud pillar, DEOS, is finally starting to ramp up after a five-year contracting process, which included multiple protests and delays. The contract was ultimately awarded to GDIT in late October 2020. DISA will take the lead in migrating its users to the cloud-based environment, which will deliver Microsoft Office 365-based collaboration and email services. Broader deployment across the DoD will roll out this summer.
In a statement released in conjunction with GDIT’s announcement of the DEOS contract win, Amy Gilliland, President of GDIT, said the company “stands ready to execute this critical work, which will provide enterprise-wide visibility and collaboration capabilities across the Department of Defense.”
“The need for DEOS capabilities has been further amplified by the COVID-19 crisis, which has forced agencies to leverage other short-term solutions to support their remote workforces,” she said. “More than ever, it’s imperative that we accelerate the deployment of technology to support our mission partners.”
But while DEOS is finally getting off the ground, JEDI is stuck in the mud. After a long protest cycle, the DoD affirmed the contract award to Microsoft in September, but AWS is not giving up the fight; the company filed an updated lawsuit in December. The DoD suggested in a recent communication to Congress that it may consider moving on from its contract with Microsoft should the court battle drag on much longer.
Security Implications of Delays
The recent SolarWinds cyber-attack made it clear that the government’s cybersecurity challenges are only getting more dire. Agencies must protect systems and (ever growing) data residing on premise and in numerous clouds. Users are accessing those systems and data from many locations on myriad devices. And the cyber workforce gap only continues to grow.
While the DoD does not seem to have been affected by the SolarWinds breach, it faces similar challenges as civilian agencies – it has many piecemeal, siloed systems under management that can result in threat vulnerabilities. In fact, the DoD noted in its 2019 cloud strategy that “the Department has historically been challenged to keep up with cyber threats to its infrastructure.”
In the absence of true enterprise cloud solutions, the DoD has taken other measures. The department has more than 500 clouds, among them, the Air Force’s Cloud One, which had 40 large scale applications up on the environment by the middle of last year. The Army is also starting to build out its own enterprise cloud architecture that will extend to the tactical edge.
And of course, last April, the DoD rolled out its Commercial Virtual Remote (CVR) environment, a DoD-only instance of Microsoft Teams to support the department’s move toward wide-scale telework in response to the pandemic. By April 15, the DoD had ramped up 450,000 users on the platform, and by July 15 had scaled to 1.2 million.
But while the CVR roll-out was a success, it was always considered to be a temporary solution. A post on Daily Defense News regarding the Navy’s roll-out of the solution noted, “After mass telework operations end, CVR/Teams will cease to exist. Users should be keenly aware that information in Teams will not be accessible long term.”
In addition, agencies can only use it for information classed at Impact Level (IL) 2 (data that is cleared for public release). It is not suitable for national security data or secret/classified requirements. However, a memo released by the DoD Office of the CIO noted that given the national crisis, the DoD would temporarily waive many requirements that limit the processing of controlled unclassified information (CUI) up to IL 4 for the CVR environment.
CVR is expected to give way to DEOS – which will cover both classified and unclassified environments – this summer.
Solution Available Today
But all of these point solutions are impeding the DoD’s vision of an enterprise-wide cloud.
Last February, in a declaration filed by the DoD, Lt. Gen. Bradford Shwedo, then the Joint Staff’s chief information officer, noted, “The continued absence of DoD-wide, enterprise cloud computing capability seriously impedes the military’s ability to collaborate and share information with our military services, partner nations, and the intelligence community. The United States cannot expect military success fighting tomorrow’s conflicts with yesterday’s technology. Providing DoD with rapid access to an enterprise cloud, one which provides elastic computing power and storage, is vital to U.S. national security.”
Fortunately, with milCloud 2.0, the DoD has an enterprise cloud available today, and with the addition of AWS to the milCloud 2.0 family, the solution is more robust than ever. Even with JEDI stalled, with milCloud 2.0 available now and DEOS coming soon, the Department is getting closer to its enterprise cloud vision. Accelerated migration will be critical in helping the DoD reduce its cyber attack surface, while providing best-in-class technology to spur innovation and mission success.