MilCloud 2.0 Rollout Reaches for the Sky

After the success of the Defense Information Systems Agency’s bold step in 2013 to build an on-premise cloud platform called the milCloud 1.0 Cloud Service Offering based on commercial technology, the agency went for more with milCloud version 2.0, driven by extraordinary customer interest, cloud computing’s advantages and cost savings. Unlike milCloud 1.0, for which mission partners paid a monthly fee regardless of usage, version 2.0 is utility-based, and customers only pay for what they use. This allows military customers to scale usage up or down depending on operational requirements.

Last June, the U.S. Department of Defense awarded a $498 million support contract to CSRA, Falls Church, Virginia, to supply, develop, manage and roll out milCloud 2.0. The company has a tall order to fill with what is a unique commercial system under military authority and protection on DOD bases.

Last week, the agency, known as DISA, granted milCloud 2.0 a Defense Department Provisional Authorization for Impact Level 5 systems (DOD PA IL5) to operate as a cloud portal and to provide infrastructure as a service (IaaS). The approval allows the cloud platform to host unclassified national security systems and high-sensitivity systems. The cloud platform is directly connected to the Defense Department’s network that houses sensitive but unclassified Internet Protocol data (SBU IP Data), commonly known as NIPRNet, or nonclassified Internet Protocol router network, a Level 5 system. Ultimately, milCloud 2.0 will provide IL5 and IL6 (Secret) systems for IaaS, Platform as a Service (PaaS), Software as a Service (SaaS) and transition services.

“The milCloud 2.0 Impact Level 5 Provisional Authorization is a critical milestone allowing DISA to move out on operationalizing milCloud 2.0’s business and transition models by utilizing operational DOD early adopters,” said DISA’s milCloud 2.0 Program Manager Caroline Bean.

Crafting milCloud 2.0 began last October with the installation of CSRA-owned servers and other network hardware in data centers at two U.S. Air Force bases—one in Alabama and one in Oklahoma, explained Damon Bramble, business unit director and account general manager, defense agencies, CSRA. The data centers provide the capability for the cloud to be used globally. Because the on-premise cloud is different from a straight commercial cloud data center owned by a commercial supplier somewhere, anyone from any military base doing a variety of applications can use milCloud 2.0—as long as he or she has the necessary requirements, Bramble related. The platform not only offers infrastructure services like hosting a server but also provides extensive software service offerings.

“For developers, it gives them an accredited infrastructure they can develop against,” Bramble said. “You can host help desk as a service or enterprise resource planning as a service, or even machine learning or artificial intelligence as a service. If I am a potential consumer, such as an Air Force systems owner, with milCloud 2.0, I can move to an environment that is competitively priced and serviced on-premise. And I can see other services added on over time. [That makes] it immediately attractive.”

Now that the platform has passed the major milestone of DOD PA IL5—a key aspect of the Cloud Computing Security Requirements Guide security process that opens up the system for broad customer use—vetting will continue as the cloud service is rolled out to more customers. Early adopters will play a key role in validating the milCloud 2.0 business portal and other processes as well as the overall functionality and usability of the cloud service to support DOD workloads, Bean confirmed. Doing so would allow “milCloud 2.0 to get it right the first time and provide a seamless onboarding process for new mission partners,” she said.

“The way that we are implementing it is with vetting by early adopters,” Bramble said. “These customers will use the system, strain it, make sure they can order everything that they want and that they have the flexibility to do what they need.”

One challenge CSRA must meet is the incredible demand for milCloud 2.0. The launch of the platform has been ahead of schedule, but demand has been extraordinary. When DISA’s Cloud Portfolio Chief John Hale announced the contract last summer, he said: “We awarded the contract in June, and everybody in the department wants it today.” Since then, the demand has only amplified.

The interest is not only coming from DISA itself but “those that hosted applications on milCloud 1.0,” Bramble said. “We are seeing a lot more interest from all of the military services, the combatant commands, even folks outside DOD—very high levels of interest.”

Also under the microscope is milCloud 2.0’s approach of combining on-premise hardware owned by CSRA, a private cloud platform and third-party public cloud services. A competing model, like Amazon Web Services Inc.’s Secret Region cloud for the U.S. intelligence community, offers cloud service by a single provider instead of multiple third-party cloud service providers. Proponents of milCloud 2.0’s approach assert that the government is not locked into a single vendor for cloud services, sees lower costs from multiple providers and has access to innovation from new technologies or software that can be added easily by the providers.

CSRA acknowledged it has a lot at stake. “It is important to us to build a good reputation and focus on the customer experience,” Bramble said. “We want folks to see that going to services under milCloud 2.0 will offer an ‘easy to buy’ option. If I am a military service today trying to ask for hosting services, it is kind of complicated—hard to buy and set up. So if milCloud 2.0 is going to be an ‘easy to buy, easy to set up’ option, we have operating models that sort of model that, but we need to make sure that the experience is as easy as it can be for customers. So we will be working to make that smoother.”

Work to enable mission partners’ connection to access the Secret Internet Protocol Router Network (SIPRNet) in milCloud 2.0 will continue over the next few months. This capability is expected to be available late this year, after successful Defense Department Provisional Authorization for this Level 6 system. Notably, in another effort, DISA has just completed steps to modernize SIPRNet. As part of its Access Migration Project, DISA increased the network’s efficiency and capacity and improved survivability. DISA moved from a point-to-point network to a virtual network and increased the bandwidth capacity from 1G to 10G. And once the SIPRNet is connected to the cloud, there will be even more interest, Bramble predicted.

“The level of excitement we see coming from potential consumers of milCloud 2.0 is indicative of the change they see and the transformation that is going to happen in infrastructure hosting,” he said. “I am very excited to see where it goes, where it leads us. We will be listening very hard to DISA mission partners to adapt offerings and to meet their needs.”

Lastly, with the DOD’s issuance of the Joint Enterprise Defense Infrastructure (JEDI) draft request for proposals (RFP) last week, officials clarified the difference between the two ventures. JEDI is calling for commercial cloud services, including PaaS and IaaS. The JEDI solicitation would be an indefinite delivery/indefinite quantity (ID/IQ) contract with a two-year base and options for a total possible performance period of 10 years. The Office of the Secretary of Defense and each service would have its own ordering system for purchasing cloud services offered with firm-fixed pricing and a commercial catalog. At the unveiling of the RFP at the JEDI industry day last Wednesday, Jay Gibson, the DOD’s first chief management officer, offered: “The JEDI cloud is just one contract in part of a much larger strategy for overall information technology efforts.”

According to CSRA, the differences may lie in where the cloud services are provided, which services are available and the amount of security offered by the platform, given its location.

Donald Robinson, CSRA’s chief technology officer for the Defense Group, said the JEDI program appears to be a commercial cloud services solicitation only for IaaS and PaaS capabilities. Meanwhile, the milCloud program is for on-premise commercial cloud for DoD IL5 and IL6 systems for IaaS, PaaS, SaaS and transition services.

Bramble suggested that together, the ventures would provide DOD broader cloud services. “It depends on the needs of the consumer, but these contracts could work together to provide comprehensive cloud services to the DOD,” he stated. “In the industry day yesterday, [acting DOD Chief Information Officer] Essye Miller mentioned that milCloud 2.0 and JEDI were complementary. She said that there are some situations where an off-premise commercial cloud may offer the best fit and others where an on-premise cloud may be a better fit. Off-premise means it could be on a provider’s facility.”

For the most critical applications, on-premise infrastructures—such as milCloud 2.0—provide additional levels of operational security, particularly considering wartime scenarios, Bramble explained. “Off-premise clouds, while they may be accredited at the same cybersecurity risk level, do not mitigate the serious risks that the DOD must consider when projecting its lethal forces,” he noted. “Hence there is a need for both off-premise and on-premise, [with] the difference being how critical the workload is that runs on it.”

Bramble emphasized that milCloud 2.0 is currently on military bases, protected by the Department of Defense Information Network (DODIN), DODIN cyber tools, personnel and military physical security. The platform is “dedicated to this community, consists of our highly secure FedRAMP High solution and is available today,” he said.