Cloud Capabilities Abound
The Defense Information Systems Agency, known as DISA, attests that it is offering versatile cloud and software environments that will support warfighters in the near-peer adversarial fight. Several ventures, including the Joint Warfighting Cloud Capability (JWCC), are giving department stakeholders new compute, development storage, analytics, digital infrastructure and other services through DISA Hosting and Compute Center programs such as the JWCC, Stratus, containers as a service (CaaS) and Vulcan.
The JWCC, which opened for U.S. Department of Defense (DoD) customers in December of 2022, provides a unique cloud platform, said Program Manager Ryan McArthur. “I think that what is important to know about JWCC is that we broke a lot of barriers,” he noted. “What JWCC is bringing to the department that is new is bringing cloud in at all classification levels.”
He also stressed the value of having the JWCC under one enterprise contract vehicle, bringing in direct relationships with the cloud service providers. “No contract in the department has that direct relationship with the CSPs. Having that single point to be able to go to the vendors and be able to [interact with them] when it comes to meeting capabilities, needing to drive cost parity or cybersecurity incidents, those are groundbreaking things for the department at large.”
The relationship with the Hosting and Compute Center—which works with DoD customers to shape their cloud service requirements—and other DoD officials and the private sector cloud companies is already proving fruitful, McArthur said. “We’re really starting to see how we’re able to influence the CSPs,” he stated. “I also think that as we’re able to gather the requirements, we are able to ensure that they’re meeting our needs and ensure that the department is getting the best-in-class capabilities moving forward for the warfighter. Those are all groundbreaking things.”
McArthur, a retired Army warrant officer helped stand up the JWCC over the last year and a half. The well-established FedRAMP processes significantly reduce the obstacles on the unclassified side, but he sees challenges revolving around the classified side. McArthur remains optimistic, however, given the unique partnership DoD created with the intelligence community, or IC.
“The classified side is a bit more challenging. Where JWCC broke a paradigm is the partnership that we put in place with the IC. I can tell you with strong confidence that the JWCC will be the only contract that has TS [Top Secret]. When it comes to the intermingling of Title 10 and Title 50 authorities, the joint-use agreement that we’ve put in place with the IC for the JWCC is the first of its kind. It was very hard to put in place.”
Moreover, the cloud providers are in various stages of being able to offer classified cloud services. “What we’ve noticed on both the Secret and TS fabrics is that there’s different players in the game and different authorities that we’ve run into,” he noted. “Amazon and Microsoft have been in the government space a lot longer from a cloud perspective. Whereas Google and Oracle are both moving further into their cloud journey. Oracle’s a little further along than Google is. But we’re helping all four of them progress in their journey and working with the IC, with that partnership, to get them there.”
The JWCC already has about a dozen customers signed on for cloud services. The customer’s needs differ, whether it is to transition websites, move away from on-premise servers or transition their on-premise applications. “We also have some organizations that have their applications already in the cloud and are just wanting to transition their contracts,” McArthur shared. “It really truly runs the gambit.”
In addition, DISA’s Shauna Martin, chief, Enterprise Virtualization Branch, sees DISA’s new virtualization offerings as “game-changing.” Martin manages multiple groups responsible for the agency’s various virtual infrastructures and platforms, including the CaaS, Stratus, virtual desktop infrastructures, X86 and non-X86 virtual infrastructures.
“Containers as a service, or CaaS, is a containerized hosting platform that’s on-premise,” she explained. “DISA manages that from the platform orchestration layer down, providing all of the cyber posture of that environment and then mission partners can elect to host on that environment.”
Hosting on their own environments offers mission partners an array of benefits. “They don’t need to worry about developing the tool or the skill sets needed to manage a complex environment like that. They can focus on their application development, and simply deploy it and run it on the environment. ... And being able to give mission partners an opportunity to keep their data, keep their applications on-prem while still utilizing a cloud-native capability is really important to us.”
Several user groups, including from the Office of the Secretary of Defense and the Defense Finance and Accounting Service, are employing CaaS for their applications. “There seems to be a lot of demand within agencies to modernize their legacy applications with containers as well as develop new applications utilizing this technology,” Martin said.
Naturally, some applications are easier to move to containerization, the chief noted, saying, “stateless web servers are, by far, the easiest target to move on to containers. And because this is a cloud, native hybrid technology, you can run your web server on the CaaS platform, and it can reach back and communicate to a bare metal database running in the data center with no problems.” Large databases, such as Oracle and Structured Query Language, or SQL, require “a bit of a refactoring,” she said.
DISA’s software development tools as part of the Vulcan program—including web.git.mil and Gitlab Premium—will help users across the department to adopt development, security and operations (DevSecOps) and agile methods. In addition, other tools in the suite, such as Jira and Confluence, provide advanced project management, knowledge sharing, virtual collaboration and other digital infrastructure components. The suite is offered through software as a service construct, Dave Lago, Vulcan program manager, said.
“First and foremost, we are making these tools more widely available for DevSecOps, and agile for software modernization,” the program manager noted. He emphasized two benefits: offering best value and affordability for even small projects or groups and meeting customers “where they’re at” regarding cloud capabilities. “We recognize that not everybody has a state-of-the-art container workload, and some of them have a mixture of that and also legacy workloads. We want to be able to meet customers where they’re at and have them be able to leverage our tools, regardless of their maturity.”
Vulcan cloud engineer Alex McFarland added, “A lot of times organizations know they’re supposed to be doing DevSecOps, but they don’t always know what it is and where they should get started. This ultimately is supposed to make things faster and safer and drive costs down. But if they have to procure a bunch of expensive software and make a permanent commitment to do that, along with arguing for some of the other cultural type changes, that can stop that innovation flywheel from starting in the first place. Hopefully, by offering a lower cost offering, we can assist with that.”
McFarland started creating the platform last summer, using a small agile team to keep build costs down. They expect to have a minimum viable product by late spring. The key, Lago said, was to harness existing automation platforms. “The creation story of Vulcan is us using as much automation as we could,” he said. “We really leveraged DoD cloud IAC [infrastructure as code] to build the environment and also the Air Force Platform One Big Bang, which is a container automation distro [distribution tool], which allowed our small team to really focus in on the application and the software as a service that we’re providing.”
“We wanted to stand on people’s shoulders as much as possible,” the cloud engineer noted.
The Vulcan cloud engineer also emphasized that the team itself is abiding by advanced software development concepts. “One of the things that’s also important to me as far as how it’s built and operates, is that we’re trying to use DevSecOps infrastructure as code principles to operate and maintain the environment. We’re not just building a tool for other people to do it. We are trying to walk the walk here as well.”
The Vulcan team does plan on adding more tools in the future, based on customer demand signals, Lago said.
“There’s two criteria that we’re looking at as we add more capabilities and tools into the space,” he explained. “The first is, do they add some kind of value proposition? Is there something that they’re giving that these tools don’t have from a functional perspective? And also, can they be offered on a low per-seat basis because we want to continue to be a best-value offering.”
Meanwhile, DISA’s Stratus private cloud offering provides flexibility for mission partners, according to Stratus Program Manager Kim Lingafelt. Lingafelt helped stand up DoD’s MilCloud 2.0 as a DISA branch chief and then produced DISA’s special access program, establishing authorization and access for specific stakeholders.
“Stratus is our DoD private cloud,” Lingafelt explained. “And we have that running to provide optionality for our operational partners.”
It is included on both the Non-classified Internet Protocol Router Network and the Secure Internet Protocol Router Network levels and can provide all the way up to impact level 6 hosting. “[It] is focused on out-of-the box infrastructure as a service, with compute, storage and memory. We have our standard allowed for rapid elasticity, our resource pooling. We have our self-service portal where the mission partners manage their infrastructure, where they can turn off and on their VDCs [virtual data centers] and that helps them with their billing.”
The Stratus cloud environment opened in March 2022. DISA found a strong need for private cloud remained after the MilCom 2.0 contract expired.
“We had done a lot of outreach, and there was still a high demand for mission partners wanting private cloud,” Lingafelt shared. “A lot of applications just aren’t ready. They need refactoring or they have on-site requirements to keep their data inside of a DoD facility.”
As of the end of January 2023, the agency had 139 mission partners across the unclassified and classified network environments ... with 14,000 central processing units and over 51,000 gigs of memory. “We’re talking 2 million gigs of terawatt across those 139 mission partner environments.”
And while some mission partners want to just pay for and manage their Stratus private cloud themselves, the program also offers managed services, including security service options such as vulnerability management and cybersecurity service provider assistance or financial management.
“When you leverage Stratus, our accreditation allows you to inherit the controls,” Lingafelt said. “That helps our mission partners get through their accreditation packages.”
In addition, Stratus’ private cloud environment supports disaster recovery and continuity of operations planning. “We have that ability since we have our environments at two different data centers,” the program manager noted. “We also offer different levels of storage. We have our standard, tier-one primary storage, really fast storage. And if partners are looking for some more cost savings, we also have our tier two. And then we also have object storage. It’s for mission partners that have gigantic storage requirements, where they have to keep that data for a certain period of time.”