Buying Services as a Commodity: The DoD’s New Approach to Cloud Computing

In mid-January, the Defense Information Systems Agency released new security requirements for companies seeking to provide cloud services to Defense customers.  Industry has welcomed the Department of Defense’s new approach because it promises to greatly increase the department’s use of commercial cloud computing.  In 2015 and beyond the DoD will indeed buy more cloud services from commercial sources.  This business will, however, come at a price, because the new approach also enables Defense customers to buy cloud services as a commodity.

Reading through the guidelines it becomes clear that DISA and the DoD OCIO are putting into place a cloud-buying system that provides more than a security framework; it also standardizes to the furthest extent possible the offerings that vendors can provide.

The guidance states that DISA will categorize vendor offerings according to National Institute of Standards and Technology definitions for service delivery and deployment model.  Vendors will be required to provide DISA with clear definitions of the service delivery and deployment model types that fit their solution.  If vendors do not provide this information, DISA will define the vendor’s offering for them.  The standardized offerings will then be listed in a DoD Cloud Services Catalog that Defense customers can use to select the service they need/want.

The catalog approach has benefits for Defense customers because it simplifies the process they can use to compare commercial cloud services.  For example, an Army program manager wants to use a SaaS-based records management capability in a public cloud environment for low impact data.  Instructed to procure the capability at the lowest possible price, the PM peruses the DoD Cloud Catalog and finds several vendors with an appropriate offering.  All of the commercial offerings are SaaS-based, in a public cloud, are Federal Risk and Authorization Management Program compliant at the necessary data impact level, and promise the levels of confidentiality, integrity, and availability that the project requires.  Who does the Army program manager choose?

If you said the one that costs the least and is technically acceptable, give yourself a pat on the back.  LPTA is the result of competitions carried out in a standardized procurement environment.

What DISA and the DoD OCIO have done with the guidelines is implement a commodity-based procurement approach to IT services requirements. Presented with a catalog of approved cloud services neatly homogenized into discreet categories, Defense customers will look for vendors that have the offering they need.  Once they have identified a number of potential vendors, proposals received can be evaluated based solely on price.  Functionality, security, and cloud types have all been vetted and pre-approved.  There is no need to conduct a best value competition because most of the variables inherent to best value have already been vetted as part of its inclusion in the DOD Cloud Catalog.

In short, cloud services have been commoditized, fulfilling a long-held dream for government buyers of information technology.