The Defense Information Systems Agency's in-house, high-security suite of cloud services known as milCloud has, since its inception, remained an internal capability. But following the lead of other government agencies and even its own components, DISA now is opening the door to commercial providers for milCloud.
The next iteration of milCloud aims to compete with the IBMs and Amazon Web Services of the world — sort of. There are stipulations, such as the commercial infrastructure must reside within DoD facilities and remain attached to DoD networks. It will, for all intents and purposes, be a contractor-operated, government-owned capability.
"There are contractors willing and able to capitalize the initial site as well as the initial [certification and accreditation] process, so what does that mean? That actually means you pay for it. The government doesn't fund it; you build it and then sell it back to make your money and recoup your investment. That's a key point," Scott Stewart, chief of IT contracting for DISA's Defense Information Technology Contracting Organization, said Feb. 22 at DISA's milCloud industry day.
This isn't the Defense Department's first crack at this kind of setup — the Navy Marine Corps Intranet is run in a similar fashion under NGEN, and IBM operates a cloud capability in-house at the Navy's Allegany Ballistics Laboratory in West Virginia. At press time, IBM was the only company cleared to handle level 5 data, but more companies are in the pipeline.
DISA officials say they continue to toe a line that so far isn't well-defined.
"There's a line of demarcation where the contractor builds the bare metal [and] the hypervisor and below, and the government controls from above," Stewart said. "What we're exploring here is, where is that line of demarcation? Where's the line for what's the contractor's responsibility and the government's responsibility? Where each ends and each begins — where is that handshake?"
It's something that agencies across the government, not just at DoD, are trying to negotiate as they look to cloud's promises of savings and efficiencies. At the center of the deliberations are the rules for buying commercial goods and services — the various and numerous directives and guidance that govern acquisition.
"Technically, this is not really cosmic. The hard part is the business aspect of it, the contracting aspect," Stewart said, noting that DoD still is determining its strategy for milCloud, whether that means using a standalone indefinite quantity, indefinite delivery model, an existing governmentwide acquisition contract, a small business set-aside or something else.
"We're really hoping to get to an environment where we pay by the drink for our customers so that they're not buying blocks, they're not over-provisioning — they're only paying for the use that they want to spend," Stewart said. "If they want to use it for two weeks, that's what they pay for...if they want to [use] it in perpetuity, they can do that as well. So these are challenges we're facing right now: How do we make that work given the constraints that we have in the contracting and acquisition processes?"
Government agencies and the cloud vendor community alike are watching closely to see DISA's next moves with milCloud, especially how officials handle the storage and use of more highly classified — known as level 5 or level 6 — DoD data. For a long time, the only option for such sensitive information was the highly secured, non-commercial milCloud, but that's changing, at least the non-commercial part.
"What we're looking at doing is opening up our floor space and then enabling commercial providers to come in and offer their services from within inside the DoD perimeter," Rob Vietmeyer, associate director for cloud computing and agile development in the enterprise services and integration directorate at the DoD CIO's office, said in December. "It may be our floor space or [in some cases] it may just be within our network in their own facilities. But we are looking at dedicated implementation for these cloud services that we can then offer to the DoD community for our high-impact, mission-critical systems, level 5 and even level 6. In the classified environment we're not going to be connected to the internet or other commercial infrastructures; we're going to run that from fully private, dedicated Defense Department infrastructures."