Been there. Done that.
AFRL developed, accredited, and deployed a free LiveCD webSSO for small, fast, niche uses that provide CAC-in to Google. AFRL used it for ~6 months to provide CAC-in to its Google pliot. Its also DISA STIG'd, a testbed for advanced authentication technologies, and now a free project at software.forge.mil/sf/projects/secure_end_node_testbed_sent_a_l. Any group can now create their own.
AFRL also created and tested CAC-in using the AF Portal... fast, simple, and free. AFRL is using it now to provide CAC-in for its ~140 person GAfG pilot. The novel process can be adopted by anyone. AKO is conducting a similar test very soon. See https://www.milsuite.mil/book/message/441465 . The process can be automated so any group could obtain such a CAC-in service from those enterprise-class Single Sign On (webSSO) services in a few minutes w/out approval. For large GAfG domains, AFRL is also exploring an advanced solution which leverages the webSSO's account & identity management services to ease GAfG admin duties.
All the above solutions are for / were tested on Google Apps for Government domains, but they can be used for any SAML v2.0 compliant cloud for authentication.
The GAfG domains used are accredited / approved for CUI / FOUO / sensitive info.
No CRADA, contract, or such was needed. It was mostly a part-time effort of just one person. AFRL just used Google's published standards, added a few COTS elements, and some ingenuity. Easy.
Other GAfG pilots across the DoD have solved similar, and tougher issues wrt the cloud.
AFRL repeatedly offered its work to DISA.
More information about text formats