Defense Department Flies Into Commercial Cloud
Defense Information Systems Agency mission partners will soon be able to take advantage of cloud computing and storage at up to 70 percent cost savings. The agency’s milCloud 2.0, a commercial-grade private cloud for defense customers scheduled to achieve initial operational capability next month, spreads out costs among many customers and makes infrastructure upgrades more affordable. MilCloud 2.0 also will offer customers much-needed agility, an important feature for warfighters who must respond dynamically to ever-changing threats.
Many U.S. Defense Department organizations are familiar with the agency’s first cloud computing effort, milCloud 1.0, which launched in 2013. The agency, also known as DISA, built, operated and managed an on-premise cloud solution based on commercial technology.
The extraordinary amount of customer interest in milCloud 1.0 and the need to take full advantage of cloud computing advances were two reasons that DISA moved on version 2.0.
Before the first keystroke of writing the request for proposal (RFP), the DISA Cloud Portfolio team spoke with numerous government agencies using cloud capabilities, including the intelligence community, and reached out to industry with several requests for information. This input helped team members understand not only best practices but also the perks and pitfalls of cloud computing in real-life environments.
John Hale, chief of DISA’s Cloud Portfolio, explains that a lowest-price technically acceptable contracting approach was not used. But the goal was to acquire the best value for the government.
In June, a $498 million contract to support milCloud 2.0 was awarded to CSRA, Falls Church, Virginia. The company’s experience in providing private cloud solutions to government and industry customers demonstrated that its solutions would work well for DISA’s mission partners, Hale states.
MilCloud 2.0 includes two distinct elements: infrastructure and contract, explains Donald Robinson, chief technology officer for CSRA’s defense group. In terms of infrastructure, it is a commercial cloud that allows users to go to a portal, acquire the cloud computing capabilities they need and be billed by the hour. “Its uniqueness is that it’s actually going to be deployed in military bases under military authority—military protection. It is a cloud service directly connected to the Defense Department’s unclassified network and eventually to its classified network,” Robinson says.
From a contract perspective, DISA built on lessons learned from milCloud 1.0 and set the foundation for the next eight years and beyond for how the Defense Department should acquire cloud services that fit within department, financial management and auditing regulations. DISA has addressed the acquisition and security challenges the department has faced with moving to cloud, Robinson says.
MilCloud 2.0 will roll out in two phases. When the first phase is complete, mission partners will be able to access the nonsecure Internet protocol router network (NIPRNET) for official use only capabilities. Installation of these capabilities began in October with the first set of servers and nodes established in several data centers in Montgomery, Alabama, and Oklahoma City. Initial operational capability (IOC) of the first phase is scheduled for next month.
The second phase, which is expected to begin immediately after NIPRNET reaches IOC, will enable mission partners to access the secret Internet protocol router network (SIPRNET). This capability is expected to be available at the beginning of fiscal year 2019.
MilCloud 2.0 differs from its predecessor in a number of ways. First, it offers what Hale calls elasticity. Mission partners will be able to scale up or down their usage as operational requirements change. Second, unlike the milCloud 1.0 cost model in which mission partners pay a set monthly fee regardless of usage, milCloud 2.0 is utility-based. Partners only pay for what they use. Third, CSRA’s security model is built around cloud computing.
Hale emphasizes this point. “Cloud providers spent a lot of time over the past five to 10 years securing their solutions because in the commercial world if they failed to secure the data, they’d lose money. In our world, if we fail to secure the data, we have a lot more at risk. By bringing cloud computing capability on-site at our facilities, we are able to leverage both the data security and the physical security,” he explains.
Robinson agrees that security is a key component of milCloud 2.0. “There have been a lot of challenges in interpreting security compliance and how we actually secure Defense Department workloads. We not only offer a cloud that is in compliance, but we also have added additional services to relieve some of that burden and the ambiguity of interpretation for the [military] services. So it’s going to make it quicker to achieve your security management objectives,” he states.
CSRA also will offer migration support for legacy systems and applications. “It’s one thing to offer the access, but often there are challenges in moving a legacy system into a cloud. A lot of decisions need to be made,” Robinson explains. “Sometimes we can do what we call ‘lift and shift.’ You can just take a workload and move it to the cloud. Sometimes you have to refactor an application; sometimes rebuild or retire an application; sometimes just shut it off. The contract enables us to help vendors move to this cloud as efficiently as possible.”
Although milCloud 2.0 will offer significant savings, Hale acknowledges that it is not a perfect fit for every application. “There are certain workloads that simply don’t work in a cloud model, mainly because they’d have to be re-engineered or redesigned to take advantage of the cloud, and there’s no money in the budget to modernize. For example, high data input-output capabilities, mostly around enterprise resource planning systems, take a lot of time, and we made a lot of investments in hardware to run those,” he explains.
Other challenges have included high demand for quick delivery. “We awarded the contract in June, and everybody in the department wants it today,” Hale says. “Making a request fit into a traditional acquisition system, where we have to move money around, has been a challenge. We are working with our financial management team to streamline as many of the processes as possible because transferring funds is the long pole in the tent when it comes to capabilities like this.”
MilCloud 2.0 is being delivered through the Defense Working Capital Fund, minimizing the time it takes to supply the capabilities to warfighters, he adds.
Now, cloud computing is at what Robinson calls an inflection point. “Cloud computing is not new. What is new is we’re at an inflection point—particularly in the government market—in migrating to the cloud,” he says. “What took the government so long to do it? Why is the Defense Department not already there? A lot of it goes back to the security and the risk-taking. Up until now—last year and this year—it took a lot of analysis from a policy perspective. That policy is now clear, and we understand those security requirements.”
In addition to clarifying policy, CSRA is addressing the hurdles back-office functions often pose. The company is providing a single portal for customers to procure what they need with well-defined back-end processes to make purchases in accordance with acquisition regulations for all the services more efficiently, Robinson says.
Also, milCloud 2.0 will be deployed on Defense Department bases and tied to their networks as a fundamental part of the department’s ecosystem. “That is important in terms of risk management,” Robinson explains. “Some applications, particularly those that are mission-specific, like command and control applications, are mission-critical and must be on Defense Department premises, where they can be protected by military personnel and subject only to the jurisdiction of the Defense Department.
“That’s another advantage to buying from CSRA,” he continues. “For some of those workloads, that is going to be a critical component in the overall risk calculus. There are cybersecurity risks that have to be vetted, but then there’s also operational risks, and that’s one of the reasons milCloud is so important. It reduces a lot of that operational risk so you can get the benefits of the cloud. You can get the cost benefits, you can get the additional features, you can get the continuous innovation, but you can reduce your operational risk or maintain your operational risk posture and not have to introduce new operational risk of the other public clouds.”
Hale says he views milCloud 2.0 as a completely new way of supporting both warfighters and the Defense Department overall. “We’re going to revolutionize the way the department does computing and storage,” he says. “We will have the ability to dynamically spin up computer capabilities. The ability to scale and change based on mission demands on a rapid basis revolutionizes the way we’ve done computing. Threats change on a dynamic basis and frequency in a way never seen in the past, and capabilities like milCloud 2.0 are putting the necessary pieces in place, so [warfighters] can change their mission dynamically based on the threats.”